Adding multiple IP addresses to an NSG rule

Ram 25

Hi, I can add multiple IP addresses to an NSG rule, but only the first two IP addresses work. For example, if I allow three IPs to be able to RDP into a server, I can RDP from the first two sources but not the third. I am not sure where I am going wrong. Any ideas?

Andrew Schull 86 Reputation points Microsoft Employee

2023-01-20T00:17:40.7833333+00:00

Welcome to the Microsoft Q&A Platform.

Thank you for reaching out & I hope you are doing well.

From my understanding you are having an issue RDP into a server from one source even though it was included in your NSG rule.

Could you please share the rule you created and confirm the source/destination are correct?

You can also set up NSG flow logs to see if the NSG is blocking/receiving the traffic.

Introduction to flow logging for network security groups

The NSG flow logging will help isolate if the issue is at NSG or if the traffic is being dropped before it reaches.

Let me know if this helps and if you have any further questions!
Ram 25 Reputation points

2023-01-20T01:23:41.5233333+00:00

Thanks for your help. Here's the NSG rule, and I can confirm the source and destination are correct.
Andrew Schull 86 Reputation points Microsoft Employee

2023-01-20T01:57:21.2433333+00:00
Thank for you for the information. I'm not seeing an issue with the configuration of the rule.

Could you ensure there are no NSG rules with a deny for the IP being blocked with a higher priority than this rule?

If you are unable to set up NSG flow logs we can also utilize Network Watcher for a quick connectivity test.

Quickstart: Diagnose a virtual machine network traffic filter problem using the Azure portal

Another place we can check is the effective routes of the Azure VM. The following article goes into great detail in troubleshooting possible routing issues with VM's.

Diagnose a virtual machine routing problem

I'll work on reproducing this in my lab. Let me know if you have any other questions.
Ram 25 Reputation points

2023-01-20T02:28:37.3433333+00:00

Thanks for the useful resources. When I used the "Network Watcher" for the first two IP addresses, it showed the right rule, "AllowRDP", but for the third IP address, it referred to the rule "DenyAllInbound." Priority for the AllowRDP is 1035, and DenyAllInbound is 65500.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-01-20T04:33:13.3366667+00:00
@Ram

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well..

I understand that you are facing issues with NSG Rules and not able to RDP to Azure VM.

I see you and @Anonymous had a discussion about this and Andrew has suggested to use Network Watcher to check the rules.

I also see you have used the IP Flow verify feature of the Network Watcher.

Instead of that, can you use NSG Diagnostics feature of Network Watcher and share the output?

I take it that the NSG you are refering is associated with the subnet of the VM

I am suspecting this is because there could be an NSG associated to the VM's NIC and that is blocking the connection.

Using NSG Diagnostics should give us detailed information.

Cheers,

Kapil
Ram 25 Reputation points

2023-01-20T08:35:07.5433333+00:00

@KapilAnanth-MSFT Thanks for your help. The NSG diagnostics helped me fix the issue, but it showed me two NSGs out of which one belonged to a decommissioned server. I had to include the IP address that wasn't working in the other NSG rule as well to make it work. I wonder why would the other NSG blocked the incoming connection. The only reason I could think is that it belongs to the same resource group.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-01-20T08:44:47.29+00:00

@Ram

I am glad the set up is working now.

I have summarized our discussion and posted an answer addressing your follow up queries.

If this answers your query, I would highly appreciate if you could click "Accept the answer" and Up-Vote for the same.

Cheers,

Kapil
sdon 20 Reputation points

2023-08-22T22:10:28.26+00:00

What is the limit for the number if IP addresses that can be set as destination IP per NSG rule ?
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-24T04:36:47.73+00:00

sdon

Please refer : Networking limits - Azure Resource Manager

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-01-20T08:42:44.8433333+00:00
@Ram

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are facing issues with NSG Rules and not able to RDP to Azure VM.

I see you and @Andrew Schull had a discussion about this and Andrew has suggested to use Network Watcher to check the rules.

I also see you have used the IP Flow verify feature of the Network Watcher.

I suggested you use NSG Diagnostics feature of Network Watcher

The reason is that I am suspecting there could be two NSGs, one being associated to the VM's NIC and that is blocking the connection.

You were able to confirm that this was indeed the case and we have 2 NSGs in picture.

It appears the second NSG, is supposed to belong to a server that was decommissioned.

From your screenshot, I can see that the second NSG is associated with the subnet "default". I suppose this subnet is where the target VM resides.

That's why, this is blocking the connection to the VM.

If you believe that this is supposed to be a decommissioned resource, you can go ahead and delete this NSG.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Adding multiple IP addresses to an NSG rule

0 additional answers

Your answer