Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,058 questions
Hello @Pender Sessoms ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know the difference between changing the default behavior of routes at route table versus doing it at the inbound/outbound security rules of an NSG.
To start with, let's understand the difference between NSG and UDR (User Defined Route):
A network security group (NSG) contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
NSGs are rules which allow/deny traffic for both inbound and outbound flow.
Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
User-defined routes (UDR) or custom routes can be created in Azure to override Azure's default system routes, or to add more routes to a subnet's route table.
Each route contains an address prefix and next hop type. When traffic leaving a subnet is sent to an IP address within the address prefix of a route, the route that contains the prefix is the route Azure uses.
UDRs are routes which can either override Azure's default system routes, or to add more routes to a subnet for outbound traffic leaving that subnet and decides where to send the traffic to (the destination is defined in the next hop config of that route).
Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined
If you check the Virtual Network FAQ, you can find the below:
What's the behavior when I apply both an NSG and a UDR at the subnet? For inbound traffic, network security group (NSG) inbound rules are processed. For outbound traffic, NSG outbound rules are processed, followed by user-defined route (UDR) rules.
So, when traffic is inbound to a VM, only NSG will be applied, and the traffic will either be allowed or blocked.
But when traffic is outbound from a VM, first the NSG will be applied to check if that traffic flow is allowed/blocked.
- If blocked, then the traffic will be blocked.
- If allowed, then it will check UDR to see where that traffic should be sent to.
Conclusion:
- NSG is for both inbound and outbound traffic and is only applied to check if that traffic is allowed or blocked.
- UDR is only for outbound traffic and is applied post NSG check to decide where to send the traffic to.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.