What is the difference between changing the default behavior of routes at route table versus doing it at the inbound/outbound security rules of an NSG?

Pender Sessoms 30 Reputation points
2023-09-07T15:27:52.3066667+00:00

What is the difference between changing the default behavior of routes at route table versus doing it at the inbound/outbound security rules of an NSG? I realize this is a long winded question but I guess I am asking because it sort of seems like they both do the same thing....just using a different "application" to do it. Does that make sense?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,044 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-09-07T16:08:07.5766667+00:00

    Hello @Pender Sessoms ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know the difference between changing the default behavior of routes at route table versus doing it at the inbound/outbound security rules of an NSG.

    To start with, let's understand the difference between NSG and UDR (User Defined Route):

    A network security group (NSG) contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

    NSGs are rules which allow/deny traffic for both inbound and outbound flow.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

    User-defined routes (UDR) or custom routes can be created in Azure to override Azure's default system routes, or to add more routes to a subnet's route table.

    Each route contains an address prefix and next hop type. When traffic leaving a subnet is sent to an IP address within the address prefix of a route, the route that contains the prefix is the route Azure uses.

    UDRs are routes which can either override Azure's default system routes, or to add more routes to a subnet for outbound traffic leaving that subnet and decides where to send the traffic to (the destination is defined in the next hop config of that route).

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined

    If you check the Virtual Network FAQ, you can find the below:

    What's the behavior when I apply both an NSG and a UDR at the subnet? For inbound traffic, network security group (NSG) inbound rules are processed. For outbound traffic, NSG outbound rules are processed, followed by user-defined route (UDR) rules.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#whats-the-behavior-when-i-apply-both-an-nsg-and-a-udr-at-the-subnet

    So, when traffic is inbound to a VM, only NSG will be applied, and the traffic will either be allowed or blocked.

    But when traffic is outbound from a VM, first the NSG will be applied to check if that traffic flow is allowed/blocked.

    • If blocked, then the traffic will be blocked.
    • If allowed, then it will check UDR to see where that traffic should be sent to.

    Conclusion:

    • NSG is for both inbound and outbound traffic and is only applied to check if that traffic is allowed or blocked.
    • UDR is only for outbound traffic and is applied post NSG check to decide where to send the traffic to.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    7 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.