NSG with Azure bastion

Jitendra Kumar 40 Reputation points
2023-04-04T07:41:25.6633333+00:00

Hi I am trying to whitelist the laptop IP to block certain users to access the server access through bastion. Will it work and do we need to assign NSG at the bastion level? if I deny IP at rule 100 as (0.0.0.0/0) it blocks all the users from getting login but if I allow my IP as rule 101 then also it not allowing me to log in. Please suggest

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
243 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,016 Reputation points Microsoft Employee
    2023-04-04T12:37:50.1566667+00:00

    Hello @Jitendra Kumar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to whitelist your laptop IP to block certain users to access the server through bastion. When you deny IP at rule 100 as (0.0.0.0/0) it blocks all the users from getting login and when you allow your IP as rule 101 then it is not allowing you to log in.

    As mentioned in the below doc, the NSG rule priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren't processed.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules

    Meaning any rule with priority 100 will take precedence over a rule with a priority of any higher number than 100 and so on.

    Example: If you want to allow access from a single IP and block all other IPs to access a resource, then you should add the rules as below:

    • Add any required rules which are mandatory for the resources to work such as AzureLoadBalancer tag and etc. with a higher priority before adding a deny all rule.
    • Add a rule with the specific IP to be allowed next with a priority of 101.
    • Add the last rule with all other IPs (i.e., 0.0.0.0/0) to be denied with a priority of 102.

    You can use NSGs on Azure Bastion subnet to allow/deny the network traffic between the user and Azure Bastion.

    Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

    NOTE: If you choose to use an NSG with your Azure Bastion resource, you must create all of the listed ingress and egress traffic rules. Omitting any of the listed rules in your NSG will block your Azure Bastion resource from receiving necessary updates in the future and therefore open up your resource to future security vulnerabilities.

    So, if you are adding NSG to your Bastion subnet, then the list of inbound rules will be as below:

    • Priority 100 or any other lower number : Ingress Traffic from public internet or your specific laptop IP.
    • Priority 101 or any other higher number than the first rule priority : Ingress Traffic from Azure Bastion control plane. Enable port 443 inbound from GatewayManager service tag.
    • Priority 102 or any other higher number than the second rule priority : Ingress Traffic from Azure Bastion data plane. Enable ports 8080, 5701 inbound from the VirtualNetwork service tag to the VirtualNetwork service tag.
    • Priority 103 or any other higher number than the third rule priority : Ingress Traffic from Azure Load Balancer. Enable port 443 inbound from the AzureLoadBalancer service tag.
    • Priority 104 or any other higher number than the fourth rule priority : Deny all other traffic (0.0.0.0/0).

    You also need to add the listed outbound/egress rules to the NSG as mentioned in the above document.

    This way only the allowed IP will be able to make a connection to Bastion and rest all IPs will be denied.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful