Filter traffic between peering Vnets

Question

Filter traffic between peering Vnets

First Last 106

I'd like to filter traffic between peering Vnets. Example:

VNET1 peering with VNET2
10.10.10.0/24
Host A: 10.10.10.2
Host B: 10.10.10.3

VNET2 peering with VNET1
10.20.20.0/24
Host C: 10.20.20.12
Host D: 10.20.20.13

I want only host A and host C to be able to communicate with each other, all other traffic between Vnets is not allowed. I tried making this happen by applying a Network Security Group to Host C and use the appropriate rules but the traffic keeps flowing. I also tried applying a Network Security Group and appropriate rules to the subnets in the Vnets themselves but I get the same issue. I'm assuming this has something to do with the usual default Azure traffic rules (screenshot is taken without my custom rules):
User's image

I'm getting the feeling that I can't filter traffic between Vnets unless I use another product (Azure Firewall). Is my assumption correct? Or should I be able to filter traffic between peering Vnets with just a Network Security Group?

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-08-11T00:01:34.96+00:00

@First Last

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-08-11T00:01:34.96+00:00

@First Last

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

@First Last

Thank you for reaching out.

Based on your question above.

I'm getting the feeling that I can't filter traffic between Vnets unless I use another product (Azure Firewall). Is my assumption correct? Or should I be able to filter traffic between peering Vnets with just a Network Security Group?

You can filter traffic within the peering VNETS using Network Security Groups.

Based on the screenshot provided above. The highlighted rule AllowVnetInBound and AllowVnetOutBound are allowing the communication within the virtual networks. As the VirtualNetwork service tag is used as Source and Destination in the rule. This service tag includes the virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks. This is currently documented here.
User's image

I think in order to restrict all the traffic betweenthe Virtual Networks. Depending on your requirements you can either set these AllowVnetInBound and AllowVnetOutBound rules to Deny and add a custom rule with priority say 100 to allow traffic from host A and host C specifically where you will use host A and host C's IP as Source and Destination in either of the NSG associated with their subnets.

The changes above will also block the traffic flow within the VNET themselves, if this not desired and you just want to block the traffic between the peered VNET1 and VNET2. You can implement the rules in the following way. Where rule allowing communication between Host A and Host C has lower priority and rule Denying the traffic between VNET1 and VNET2 has higher priority but lower than the AllowVnetInBound rule.

User's image

Hope this answers your query. Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

First Last 106 Reputation points

2023-08-11T09:38:20.4733333+00:00

Hi @ChaitanyaNaykodi-MSFT,

Thank you for your extensive reply. VNET2 also has a Bastion host to which connectivity breaks if I deny VirtualNetwork traffic like suggested (you can't edit or delete those default rules but I just made lower priority rules and denied 'Service Tag: VirtualNetwork'). I didn't mention this Bastion host in the start post for simplicity reasons, my apologies. I tried fixing this by adding some rules like mentioned in this article: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg but this allows traffic again which is not wanted and introduces a lot of issues.

Thanks for your help either way.
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-08-18T03:01:06.09+00:00

@First Last

Apologies for the delay in getting back to you on this.

Thank you for sharing the details above.

Yes, as Azure Bastion is in the picture now the article you mentioned above suggests adding a allow rule for VirtualNetwork tag for ports 8080& 5701.

Just an idea here as this rule is applied so that the bastion host can reach out to the Virtual machine in the VNET. So, instead of adding the VirtualNetwork tag as Source and Destination, can you try using the Azure Bastion Subnet address and virtual machine's private IPs as Source and Destination here? and see if you are still able to access these machines using Azure Bastion.

If it helps you can use Azure Network Watcher IP flow verify to help quickly diagnose the issue. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

Please let me know if you have any additional questions. Thank you!

Share via

Filter traffic between peering Vnets

1 answer

Your answer