Azure Network Security Groups

Question

Azure Network Security Groups

Jérôme 21

Hello

I created a vNet (vNet-Proj) with 3 Subnet (Sub1, Sub2 and SIub3) to store servers by customer projet. For each subnet, I defined a static route with the default route (0.0.0.0/0) is our private load-balancer (and behind the LB, we have firewalls).

I'm able to launch a rdp session from Server1 hosted in vNet Sub1 to Server1 hosted in vNet Sub2. On my FW, there is no traffic beteween these servers. Is-it normal ? And how I can easyly create an NSG (and attach it on eahc subnet) to block traffic from the other subnets hosted on the vNet ?

BR

Andre E. de Andrade Rodrigues 1 Reputation point Microsoft Employee

2023-05-04T20:04:28.2833333+00:00

Hi Jérôme,

Yes, it is normal. The route you've created is replacing the default route to the Internet, but not between subnets. That's why the FW has no traffic.

About the NSG rule to block traffic between subnets, you need to create a rule with source and destination containing the IP ranges or Application Security Groups as needed. The action must be "Deny". When you assign the priority, remember that once an action is taken, the NSG won't execute the next rule.
Hope this helps.
KapilAnanth 49,876 Reputation points Moderator

2023-05-08T07:12:52.84+00:00

@Jérôme

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth 49,876 Reputation points Moderator

2023-05-09T05:03:03.48+00:00

@Jérôme

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Here is how

2 answers

Your answer

Andre E. de Andrade Rodrigues 1 Reputation point Microsoft Employee

2023-05-04T20:04:28.2833333+00:00

Hi Jérôme,

Yes, it is normal. The route you've created is replacing the default route to the Internet, but not between subnets. That's why the FW has no traffic.

About the NSG rule to block traffic between subnets, you need to create a rule with source and destination containing the IP ranges or Application Security Groups as needed. The action must be "Deny". When you assign the priority, remember that once an action is taken, the NSG won't execute the next rule.
Hope this helps.
KapilAnanth 49,876 Reputation points Moderator

2023-05-08T07:12:52.84+00:00

@Jérôme

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth 49,876 Reputation points Moderator

2023-05-09T05:03:03.48+00:00

@Jérôme

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Here is how

Answer 1

A good practice is to create 1 NSG per subnet. Then use application security groups (ASGs) to logically define/group VMs. In each NSG create the rules that should define what traffic is allowed.

Be aware that a default low priority rule allows traffic from "Virtual Network": that is the virtual network AND all other "connected" (routed) networks. That means that the default DenyAll rule won't block traffic between the subnets. The only way to get what you want is to define your own low priority Deny rule. I typically have a Deny from * on * to * rule on 4000 in every NSG, and then define all desired flows into/inside the subnet in the NSG rules.

If you look at effective routes in an Azre NIC resource, you'll see why your 0.0.0.0/0 route didn't apply. A more "accurate" (bitmap) route to the prefix of your VNet applied. Remember that in a s/w-defined network, traffic routes from A-B directly by default. The next hop was your destination VM. Of course, you could force the traffic to the prefix of another subnet via the firewall - if you really wanted to. That will require a more accurate UDR in addition to your 0.0.0.0/0 route.

Answer 2

@Jérôme

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know more details about routing in Azure VNet.

Wrt Routing,

This is an expected behavior
Azure selects a route based on the destination IP address, using the longest prefix match algorithm.
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

User-defined route
BGP route
System route

In your case, the subnet's address range has a longest prefix match as compared to 0.0.0.0/0 - hence the default route kicks in and traffic is directly forwarded.

Refer How Azure selects a route

Should you require subnet to subnet traffic pass via the Firewall, you must define the subnet's address range in the route tables.
Doing so, both system route and User-defined route (route table) will have the same longest prefix and by priority, User-defined route to Firewall comes into picture

Wrt NSGs,

For management purposes, you can consider using Application Security Groups.
With this, you may group virtual machines without manual maintenance of explicit IP addresses
The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic
Refer
- What are ASGs
- How to article

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Azure Network Security Groups

2 answers

Your answer