Share via

NSG: Does Allow or Deny take precedence?

Walt Forbes 41 Reputation points
2022-12-20T23:14:14.247+00:00

Points of My Scenario:

  1. I am aiming to block all incoming Internet traffic to a subnet associated with a network security group (NSG).
  2. The NSG's Inbound Rules are configured to allow RDP and ICMP from a specific Internet address: rule numbers are 102 and 110, respectively.
  3. Another inbound rule (number 101) is later configured to deny all Internet traffic across any protocols and all ports.
  4. The ICMP is denied right away (a successful continuous ping changes to all "request timed out" responses).
  5. However, RDP access is still working despite the 'deny' rule having a lower number than the RDP allow rule.

Objective: block all inbound Internet traffic using the deny rule, while keeping the RDP allow rule.
Question: how can I accomplish this objective?

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments

Answer accepted by question author

  1. srbhatta-MSFT 8,591 Reputation points Microsoft Employee
    2022-12-21T05:11:51.723+00:00

    Hello @Walt Forbes ,
    How long did you have to wait?
    It should ideally not be too long of a wait time.
    Also, regarding the answer to your question, you can accomplish to only allow inbound RDP connection from a specific IP by creating a rdp-allow rule with a priority number lesser than your Deny-All rule, because as you already know Deny takes precedence over Allow for same priority.
    Thank you. Feel free to reach back for any questions.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,311 Reputation points Microsoft Employee
    2022-12-26T06:19:15.53+00:00

    Hi,

    When you apply the blocking, the existing session will still continue to work and any new session will take effect. And also it might take upto a min to have the new rules plumed to the data path.

    Regards,
    Karthik Srinivas

    Was this answer helpful?

  2. Walt Forbes 41 Reputation points
    2022-12-21T00:32:09.827+00:00

    After waiting for a while and retrying, the blocking worked.
    Lesson learned: blocking is not immediate!

    You may now ignore the question. Apologies, and thanks for your attention.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.