Filter traffic between peering Vnets

First Last 106 Reputation points
2023-08-09T12:52:04.75+00:00

I'd like to filter traffic between peering Vnets. Example:

VNET1 peering with VNET2
10.10.10.0/24
Host A: 10.10.10.2
Host B: 10.10.10.3

VNET2 peering with VNET1
10.20.20.0/24
Host C: 10.20.20.12
Host D: 10.20.20.13

I want only host A and host C to be able to communicate with each other, all other traffic between Vnets is not allowed. I tried making this happen by applying a Network Security Group to Host C and use the appropriate rules but the traffic keeps flowing. I also tried applying a Network Security Group and appropriate rules to the subnets in the Vnets themselves but I get the same issue. I'm assuming this has something to do with the usual default Azure traffic rules (screenshot is taken without my custom rules):
User's image

I'm getting the feeling that I can't filter traffic between Vnets unless I use another product (Azure Firewall). Is my assumption correct? Or should I be able to filter traffic between peering Vnets with just a Network Security Group?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,766 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator
    2023-08-09T16:36:32.3+00:00

    @First Last

    Thank you for reaching out.

    Based on your question above.

    I'm getting the feeling that I can't filter traffic between Vnets unless I use another product (Azure Firewall). Is my assumption correct? Or should I be able to filter traffic between peering Vnets with just a Network Security Group?

    You can filter traffic within the peering VNETS using Network Security Groups.

    Based on the screenshot provided above. The highlighted rule AllowVnetInBound and AllowVnetOutBound are allowing the communication within the virtual networks. As the VirtualNetwork service tag is used as Source and Destination in the rule. This service tag includes the virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks. This is currently documented here.
    User's image

    I think in order to restrict all the traffic betweenthe Virtual Networks. Depending on your requirements you can either set these AllowVnetInBound and AllowVnetOutBound rules to Deny and add a custom rule with priority say 100 to allow traffic from host A and host C specifically where you will use host A and host C's IP as Source and Destination in either of the NSG associated with their subnets.

    The changes above will also block the traffic flow within the VNET themselves, if this not desired and you just want to block the traffic between the peered VNET1 and VNET2. You can implement the rules in the following way. Where rule allowing communication between Host A and Host C has lower priority and rule Denying the traffic between VNET1 and VNET2 has higher priority but lower than the AllowVnetInBound rule.

    User's image

    Hope this answers your query. Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.