Share via

Incorrect information topic "Determine network security group effective rules"

Carlos Quintero 255 Reputation points
2024-05-03T08:02:49.16+00:00

In the topic "Determine network security group effective rules" (https://learn.microsoft.com/en-us/training/modules/configure-network-security-groups/4-determine-network-security-groups-effective-rules):

  • In the table with inbound/outbound rules, for the row of "VM 4", column "Inbound rules" it states "Azure default rules apply to both subnet and NIC and all inbound traffic is allowed". That doesn't make sense, it would be totally insecure. In fact, the docs (How network security groups filter network traffic: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works) correctly state that "VM4: Traffic is blocked to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them."
  • The topic refers in several places to "Azure default rules" when there is no network security group in place (ex: Row "VM 2", column "Outbound rules", Row "VM 3", column "Inbound rules", Row "VM 4", columns "Outbound rules" and "Inbound rules") . As I understand it, default rules are rules created by default inside a network security group. The docs don't mention Azure "default rules" outside the context of a network security group, they only mention that in absence of a network security group "All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them" and "All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3."
Azure | Azure Training
0 comments
Accepted answer
  1. AmaranS 7,270 Reputation points Microsoft External Staff
    2024-05-03T10:00:33.2033333+00:00

    Hi Carlos Quintero,

    Thanks for reaching out to us on Microsoft Q&A forum.

    As per Unit-4, In the "Determine network security group effective rules" under section "Inbound traffic effective rules" the statement "NSG inbound rules for a subnet in a VM take precedence over NSG inbound rules for a NIC in the same VM" is valid and there is no typo error. 

    While creating a VM a Vnet is required, but Vnet doesn't provide any opportunity to create VMs, that is why we use subnets in VN to create VMs. 

    NSG is attached to subnets, whatever the NSG rules we added to subnets those NSG rules are applied to only VMs but not to VN. 

    Inbound traffic effective rules: Azure processes rules for inbound traffic for all VMs in the configuration. Azure identifies if the VMs are members of an NSG, and if they have an associated subnet or NIC. Azure evaluates each NSG configuration to determine the effective security rules. 

    Network security groups are defined for your virtual machines which are placed in a subnet that is placed in a Virtual Network in the Azure portal. 

    As per Unit-4, In the "Determine network security group effective rules" unit, under the "VM 4" row, it states: Azure default rules apply to both subnet and NIC, and all inbound traffic is allowed is valid as per the scenario given below and attached as a screenshot provided from the link for reference. 

    Scenario: If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere.

    User's image

    https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem

     Also, we can see from the below link, that the scenario what we explained is applicable for VM4 as given below: 

    https://learn.microsoft.com/en-us/training/modules/filter-network-traffic-network-security-group-using-azure-portal/4-create-network-security-group 

    VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet 3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them. User's image

    If the information is helpful, please accept the answer by clicking the "Accept Answer" on the post. If you are still facing any issue, please let us know in the comments. We are glad to help you.

    Thank you.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Quintero 255 Reputation points
    2024-05-04T10:29:28.6733333+00:00

    I will accept your answer because there are four places that state that if a VM with a public IP is in a subnet without a network security group and its network interface doesn't have a network security group either, then all ports are open inbound:

    1. Diagnose a virtual machine network traffic filter problem
      https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem
      "If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere. If the VM has a public IP address, we recommend applying an NSG to the subnet the network interface."
    2. How network security groups filter network traffic
      https://learn.microsoft.com/en-us/training/modules/filter-network-traffic-network-security-group-using-azure-portal/4-create-network-security-group
      "VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet 3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them."
    3. Determine network security group effective rules
      https://learn.microsoft.com/en-us/training/modules/configure-network-security-groups/4-determine-network-security-groups-effective-rules "VM 4: Subnet 3: none, NIC: none Azure default rules apply to both subnet and NIC and all inbound traffic is allowed"
    4. The Azure Portal, when you create a VM with NIC network security group: None
      "All ports on this virtual machine may be exposed to the public internet. This is a security risk. Use a network security group to limit public access to specific ports. You can also select a subnet that already has network security groups defined or remove the public IP address."

    But then there is one place, the official documentation, that states the contrary and it should be corrected:

    1. How network security groups filter network traffic, section "Inbound traffic"
      https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
      "VM4: Traffic is blocked to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them."
    3 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.