Network security group allowing through unexpected traffic

Question

Network security group allowing through unexpected traffic

Charles Pickering 41

I've attached a network security group to a subnet and configured the rules to only permit port 3389 from a specific subnet however, I am still able to establish an RDP connection from other subnets.

My remote networks and VPN users are connected with Tailscale. I have a Tailscale subnet router with SNAT disabled in Azure on it's own subnet and another virtual subnet for my servers. I have a Network Security Group on that servers subnet set to filter out all traffic except certain ports from my remote sites to the servers. It's also set to allow more traffic from the Tailscale subnet to the servers. User's image

Somehow I am still able to establish an RDP connection from 10.3.5.0/24 to the server in the attached subnet.

JimmySalian-2011 42,491 Reputation points

2023-06-26T20:13:58.88+00:00

Hi Charles,

The screenshot is very small and hardly visible, I suspect overlapping subnets CIDR range but I will suggest you to enable the flow logging in NSG and you can track the source traffic

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Charles Pickering 41 Reputation points

2023-06-26T20:42:47.6533333+00:00

Hi Jimmy,

If you're in Chrome, you should be able to right click on the image and open in new tab and zoom in.

I have a network watcher set up but I don't know how to actually view the logs. Maybe someone can help with that.

Interestingly, when I use the NSG diagnostic, it says that traffic coming from 10.3.5.25 is matching the rule for virtual network. But 10.3.0.0 isn't setup in any virtual networks in azure. 10.3.0.0/16 is my on premises "physical" network.

Accepted answer

0 additional answers

Your answer

JimmySalian-2011 42,491 Reputation points

2023-06-26T20:13:58.88+00:00

Hi Charles,

The screenshot is very small and hardly visible, I suspect overlapping subnets CIDR range but I will suggest you to enable the flow logging in NSG and you can track the source traffic

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Charles Pickering 41 Reputation points

2023-06-26T20:42:47.6533333+00:00

Hi Jimmy,

If you're in Chrome, you should be able to right click on the image and open in new tab and zoom in.

I have a network watcher set up but I don't know how to actually view the logs. Maybe someone can help with that.

Interestingly, when I use the NSG diagnostic, it says that traffic coming from 10.3.5.25 is matching the rule for virtual network. But 10.3.0.0 isn't setup in any virtual networks in azure. 10.3.0.0/16 is my on premises "physical" network.

Answer 1

TP 124.7K Volunteer Moderator

Hi Charles,

Is 10.3.5.0/24 subnet part of the same Virtual Network as the servers subnet? If yes then the default AllowVNetInBound rule would allow the RDP traffic.

Please run Network Watcher -- IP flow verify in the Azure portal to see which rule it says is allowing the RDP traffic to the VM.

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

-TP

Charles Pickering 41 Reputation points

2023-06-26T20:47:39.5866667+00:00

Hi,

10.3.0.0/16 is my local network, 10.9.0.0/16 is my azure network.

Somehow it is still matching the rule for virtual network though. I think that is the problem but I'm not sure how it got to be that way.

Here is the extent of the azure network:
Charles Pickering 41 Reputation points

2023-06-26T20:53:20.39+00:00

Hi TP,

I think my responses are being moderated out so I can't post a screenshot of the result but it says the allowvnetinbound rule is allowing it. I don't understand that as 10.3.0.0/16 isn't a virtual network in Azure.
TP 124.7K Reputation points Volunteer Moderator

2023-06-26T22:21:41.7466667+00:00

Hi Charles,

VirtualNetwork service tag includes connected on-premises address spaces, which is why the default AllowVnetInBound rule is allowing the RDP traffic.

What you could do is create a Deny rule for the on-premises subnet with priority of say, 64000. That way the on-premises traffic will be blocked by default because the rule will be processed before AllowVnetInBound rule.

For reference, please see VirtualNetwork purpose in the list of Service tags in article below:

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#:~:text=Yes-,VirtualNetwork,-The%20virtual%20network

Share via

Network security group allowing through unexpected traffic

0 additional answers

Your answer