Share via

ASG applied to resources when it shouldn't be?

PB 131 Reputation points
2020-09-16T14:29:45.017+00:00

Hi - I am trying to ensure my understanding on how ASGs work from documentation is correct. I have a simple use case:

  • Block all traffic on my VNets and only allow what is explicitly defined in NSGs.
  • To keep things simple as we're building out, I would like to have a Global NSG rule that I can apply to all Subnets without breaking it down to many rules since we've a small footprint as of now and are nowhere near the rule limits.

What I have:

  • A P1V2 App Service plan based App that is integrated in to a VNet via Regional VNet integration.
  • An Azure SQL for PostgreSQL that has a private endpoint in another Subnet on the same VNet.

What I am trying to accomplish:

  • I would like to only allow traffic to a specific IP (for a PostgreSQL DB) and nothing else from this App Service.

Step 1 succeeds:

  • When I add a high priority rule to deny all outbound to Service tag "Internet", things work as expected and tcpping to google.com:443 fails on App Service console:

25276-image.png

Problem:

  • As soon as I add a higher priority rule to allow VMs in ASG to access internet (I need my C.I./C.D. agent machines to be able to access Internet), the App Service ping to Google now succeeds. I was not expecting that as the ASG clearly is not associated to the App Service (doing that's not even supported today).

25128-image.png

What am I missing here?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,913 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 16,586 Reputation points Microsoft Employee
    2020-09-17T05:47:12.957+00:00

    @PB "If WEBSITE_VNET_ROUTE_ALL is set to 1 and you don't have any routes that affect public address traffic on your integration subnet, all of your outbound traffic is still subject to NSGs assigned to your integration subnet. If WEBSITE_VNET_ROUTE_ALL isn't set, NSGs are only applied to RFC1918 traffic."
    Source: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#network-security-groups

    Can you please verify that you have set the above app setting? I'm thinking that might be the cause of the behavior your're noticing. If that doesn't work, please reply back and we can continue troubleshooting. Let us know if this helped as well. We look forward to your reply.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.