NSGs question to block certain type of ICMP protocol.

Wongue Kim 0 Reputation points
2023-06-30T04:19:59.81+00:00

Hi Azure,

I have a question about blocking ICMP timestamp type only. Is it possible to do this at the NSGS level?

Thanks,

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,625 questions
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,726 Reputation points Microsoft Employee
    2023-06-30T11:27:37.67+00:00

    Hello @Wongue Kim ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if it is possible to block ICMP timestamp type protocol only at the Azure NSG level.

    Azure NSG rules are evaluated and applied based on the five-tuple (source, source port, destination, destination port, and protocol) information.

    Initially Azure NSGs didn't support ICMP protocol but starting 29th July 2019, ICMP protocol is supported in NSG rules, however, it is for the whole ICMP protocol. You cannot selectively allow only certain type of traffic.

    https://azure.microsoft.com/en-in/updates/network-security-group-improvements-now-available/

    https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules

    So, you can create a NSG to block ICMP protocol as a whole, but you cannot specify the type of traffic.

    To block ICMP protocol, you can create a NSG rule as below:

    • Sign into the Azure portal.
    • Navigate to the resource group containing your NSG.
    • Locate and select the NSG that you want to modify.
    • In the NSG overview pane, click on "Inbound security rules" under "Settings".
    • Click on the "Add" button to create a new inbound security rule.
    • Provide a name for the rule, such as "Block ICMP".
    • Set the "Source" and "Destination" fields to match your specific requirements (e.g., source IP, destination IP, etc.).
    • Set the "Protocol" to "Any" or "ICMP".
    • In the "Source port ranges" and "Destination port ranges" fields, leave them blank to cover all ports.
    • Set the "Action" to "Deny".
    • Click on the "Add" button to create the rule.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Alistair Ross 7,386 Reputation points Microsoft Employee
    2023-06-30T08:49:39.59+00:00

    Hello @Wongue Kim

    No, you cannot do this with an Network Security Group. NSG's only block by Source, Source Port, Destination, Destination port and protocol. As the the ICMP types are detailed in the ICMP header, it cannot be filtered with NSG.

    kind regards

    Alistair

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.