Share via

Azure Firewall vs NSG rules

Tom Wrigglesworth 91 Reputation points
2023-08-19T22:06:53.6433333+00:00

Hi all,

I'm studying for the AZ-700 at present and making progress but came up with a query.

If I have a rule in the NSG to block RDP connections and a rule in Azure Firewall to allow RDP - which takes priority?

Kind regards

Tom

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments

Answer accepted by question author

  1. Vahid Ghafarpour 23,600 Reputation points
    2023-08-20T00:51:20.0133333+00:00

    If the traffic originates from an external source (from the internet) and is destined for a virtual machine (VM) inside an Azure Virtual Network, the Azure Firewall rules will be evaluated first. If you have a rule in Azure Firewall to allow RDP, that rule will be applied and the RDP traffic will be allowed.

    If the traffic is already inside the Azure Virtual Network (e.g., between VMs in the same subnet), the NSG rules will be evaluated first. If you have a rule in the NSG to block RDP, that rule will be applied and the RDP traffic will be blocked.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 155.8K Reputation points Volunteer Moderator
    2023-08-21T17:22:52.5766667+00:00

    Hi Tom,

    Azure Firewall and Network Security Group(s) are two independent things, so in effect they have equal priority if traffic will be flowing through both. They both must allow traffic in order for it to get through, again assuming traffic needs to flow through both to reach the destination.

    In your example, the RDP traffic (if coming via Internet through FW) will be blocked, since you have a rule blocking RDP in the NSG. If you walk through the path the traffic takes you can see how it makes sense.

    Let's assume traffic is coming in from the Internet, via Azure Firewall's public IP. When the inbound connection reaches Azure Firewall, it is allowed, since there is a rule allowing it. Next it reaches the NSG, where there is a rule blocking it, so it stops right there, without reaching the VM.

    On a related note, there could be multiple NSGs along the path the traffic must take, plus you have Windows Firewall with Advanced Security (wf.msc) inside of the VM. So assuming the traffic is coming in via Azure Firewall, it would need to be allowed by Azure Firewall, allowed by NSG on the subnet (if any exists), allowed by NSG on the VM interface (if any exist), and allowed by Windows Firewall inside of the VM.

    Please click Accept Answer if the above was useful.

    Thanks.

    -TP

    5 people found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.