How to deny traffic on port 20000 of the public IP address of VPN virtual network gateway in Azure

hemanth kumar battula 20 Reputation points

I have a vpn virtual network gateway created with a site to site configuration.
I have a public ip Associated to the VPN gateway.
When I telnet to public IP one of the port 20000 i was able to connect on that port.
I want to deny traffic on that port for the public IP.

I tried NSG but did not work. Could some one help me which way i can achieve this.
Please try to provide as much info as possible rather than just telling one liners like to use Firewall etc.

Thanks in advance. I will reciprocate the same help to someone someday. Thank you.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,405 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,199 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

    @hemanth kumar battula

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to close the Port 20000 in your VNET Gateway.

    Please note that certain ports required for Azure infrastructure communication.

    • They're protected (locked down) by Azure certificates.
    • Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints
    • The reason being that Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication.
    • We can assure you that the public endpoints are periodically scanned by Azure security audit

    Refer : Why are certain ports opened on my virtual network gateway?

    Also, wrt using NSGs,

    • When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet.
    • Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected
    • Refer : Azure GatewaySubnet Considerations

    Hope this helps.



    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee

    Hi, Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP.

    0 comments No comments