Azure Network Security Groups

Jérôme 21 Reputation points


I created a vNet (vNet-Proj) with 3 Subnet (Sub1, Sub2 and SIub3) to store servers by customer projet. For each subnet, I defined a static route with the default route ( is our private load-balancer (and behind the LB, we have firewalls).

I'm able to launch a rdp session from Server1 hosted in vNet Sub1 to Server1 hosted in vNet Sub2. On my FW, there is no traffic beteween these servers. Is-it normal ? And how I can easyly create an NSG (and attach it on eahc subnet) to block traffic from the other subnets hosted on the vNet ?


Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,228 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KapilAnanth-MSFT 38,041 Reputation points Microsoft Employee


    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know more details about routing in Azure VNet.

    Wrt Routing,

    • This is an expected behavior
    • Azure selects a route based on the destination IP address, using the longest prefix match algorithm.
    • If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
    1. User-defined route
    2. BGP route
    3. System route
    • In your case, the subnet's address range has a longest prefix match as compared to - hence the default route kicks in and traffic is directly forwarded.

    Refer How Azure selects a route

    • Should you require subnet to subnet traffic pass via the Firewall, you must define the subnet's address range in the route tables.
    • Doing so, both system route and User-defined route (route table) will have the same longest prefix and by priority, User-defined route to Firewall comes into picture

    Wrt NSGs,

    • For management purposes, you can consider using Application Security Groups.
    • With this, you may group virtual machines without manual maintenance of explicit IP addresses
    • The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic
    • Refer

    Kindly let us know if this helps or you need further assistance on this issue.



    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

  2. aidanfinn 0 Reputation points

    A good practice is to create 1 NSG per subnet. Then use application security groups (ASGs) to logically define/group VMs. In each NSG create the rules that should define what traffic is allowed.

    Be aware that a default low priority rule allows traffic from "Virtual Network": that is the virtual network AND all other "connected" (routed) networks. That means that the default DenyAll rule won't block traffic between the subnets. The only way to get what you want is to define your own low priority Deny rule. I typically have a Deny from * on * to * rule on 4000 in every NSG, and then define all desired flows into/inside the subnet in the NSG rules.

    If you look at effective routes in an Azre NIC resource, you'll see why your route didn't apply. A more "accurate" (bitmap) route to the prefix of your VNet applied. Remember that in a s/w-defined network, traffic routes from A-B directly by default. The next hop was your destination VM. Of course, you could force the traffic to the prefix of another subnet via the firewall - if you really wanted to. That will require a more accurate UDR in addition to your route.

    0 comments No comments