Why the default security rules have 0.0.0.0 instead of VirtualNetwork service tag?

Question

Hi there, There are some default NSG rules that have 0.0.0.0/0 instead of VirtualNetwork as the destination or source for the AllowAzureLoadBalancerInBound and DenyAllInbound rules. I am failing to understand why there is a need for that, if the NSG rules need to apply only to the VNet. Thanks in advance for your time.

Answer 1

@Ravikiran Srini Thank you for your question, but both of these default rules do not have 0.0.0.0/0 as source or destination. However, a rule is created based on the scope. The service Tag is applied based on the customer requirements. Usually 0.0.0.0/0 is used on UDR for default route not on the NSG. 0.0.0.0/0 should never be a representation of the service tag VirtualNetwork.

Answer 2

Thanks @Tchimwa Sougang for the reply. Please refer to this link where 0.0.0.0/0 is given in an NSG from Microsoft docs: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules I understand the meaning of the VirtualNetwork service tag. I am quite not clear with the explanation. So, I am restating my question: Why should Microsoft use 0.0.0.0/0 for the Destination (colored below)) that represent all addresses instead of using just the VirtualNetwork service tag? Why cannot AllowAzureLoadBalancerInBound and DenyAllInbound use the VirtualNetwork service tag in the destination field as the destination will only be a virtual network? However, using 0.0.0.0/0 as the source for the DenyAllInbound makes sense.

Answer 3

Hi, For denyall outbound rules, I believe the reason for adding 0.0.0.0/0 instead of virtual network tag is that we can configure Direct server return on Load balancer where traffic hits your VM with destination IP as lb's public IP. This is one scenario that comes to my mind, but there could be others. So since these are default rules, we add 0.0.0.0/0 deny and you can allow it with higher priority.