How to deny traffic on port 20000 of the public IP address of VPN virtual network gateway in Azure

hemanth kumar battula 20

I have a vpn virtual network gateway created with a site to site configuration.
I have a public ip Associated to the VPN gateway.
When I telnet to public IP one of the port 20000 i was able to connect on that port.
I want to deny traffic on that port for the public IP.

I tried NSG but did not work. Could some one help me which way i can achieve this.
Please try to provide as much info as possible rather than just telling one liners like to use Firewall etc.

Thanks in advance. I will reciprocate the same help to someone someday. Thank you.

ilyes ENNACEUR 6 Reputation points

2023-10-05T14:34:16.3666667+00:00
Hello @hemanth kumar battula , you'll need to use Network Security Groups (NSGs) in conjunction with the subnet that the VPN gateway is associated with. So NSGs can be used to control inbound and outbound traffic to network interfaces, VMs, or subnets.

So, first, Define an Inbound Security Rule as you want to deny traffic on port 20000 for the public IP. Here's how to create an inbound security rule:

Inside your NSG, go to "Inbound security rules" and click "Add."

Give your rule a name, such as "DenyPort20000."

Set the "Priority" to a value lower than any rules that allow traffic (e.g., 100 for higher priority).

Set the "Source" to the public IP address you want to deny access to.

Set the "Source port ranges" to "*" to include all source ports.

Set the "Destination" to "Any."

Set the "Destination port ranges" to "20000."

Choose the "Deny" action.

Leave the "Protocol" as "Any" unless you specifically want to deny traffic for a particular protocol.

Review and create the rule.

after that, associate the NSG with the Subnet, this is simple, to apply the NSG rule to the VPN gateway's subnet:

Go to the subnet settings where your VPN gateway is located.

Under "Network security group," select the NSG you just created.

--- If the reply is helpful, please Upvote and Accept as answer ---

kind regards, ilyes ENNACEUR
hemanth kumar battula 20 Reputation points

2023-10-05T14:37:52.2766667+00:00

This doesnt work. And I want to deny traffic on the public IP address of the vpn gateway and not the gateways subnet. I even tried denying on the ip address itself and it also did not work.
hemanth kumar battula 20 Reputation points

2023-10-05T14:55:22.0833333+00:00

I retried again just to make sure. The NSG that i have created cannot be associated to the gateway subnet. The nsg has one inbound rule that i newly created to restrict traffic on one of the public ip that the gateway is associated on the port. And it cannot be associated. Not sure why and no proper error message @ilyes ENNACEUR
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-09T05:55:43.7633333+00:00

@hemanth kumar battula

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
hemanth kumar battula 20 Reputation points

2023-10-09T06:52:37.4366667+00:00

HI @KapilAnanth-MSFT ,

Thank you so much for the valuable information.
As @msrini-MSFT said 'Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP.'. This is not documented anywhere.
Also as you stated, there was no information of which ports are open on Azure VPN gateway on public network. We would like to know what certain ports are open and why they are open. I would like this to be documented somewhere so that we can show this reference to our Security team.

Best Regards,
Hemanth
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-09T10:23:36.2433333+00:00
@hemanth kumar battula

Wrt , "Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP"

I don't think so this statement is current.

AFAIK, we will not be able to associate a NSG to a GatewaySubnet to begin with.

I tried to repo this in my Lab and I was not able to associate the subnet.

Wrt Open Ports,

I am afraid we will not be able to share the complete list of open ports of a VPN Gateway used by our platform.

At least, not in the Public Forum such as Microsoft Q&A

Should you require a comprehensive list of Open ports, I would suggest you to file a support ticket and our Engineers should be able to assist you.

Should you require a one-time free technical support, please do let us know and we will try and help you get one. Some ports I can share here are,

Port 8081 is used to verify the Azure gateway health probe. - Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-cannot-connect#step-7-verify-the-azure-gateway-health-probe

Port 7999 is used by the gateway to validate the health of its instances.

Thanks, Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
hemanth kumar battula 20 Reputation points

2023-10-10T05:42:36.54+00:00

Hi @KapilAnanth-MSFT ,

If the statement 'Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP' is not correct, then could you provide me a solution to block a certain port on the public IP address of the VPN virtual gateway please?(even if it causes issue with VPN gateway).
It might not be NSG but can be any way or procedure that helps to block the port on public IP address of the gateway.
Looking forward for your response.

BR,
Hemanth.
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-10T06:10:24.3566667+00:00

@hemanth kumar battula

Unfortunately, customers cannot block a port of a VPN Gateway.

This is by design of the product and we cannot override this.

Hope this helps.

Cheers,

Kapil.
hemanth kumar battula 20 Reputation points

2023-10-10T11:47:36.1433333+00:00

@KapilAnanth-MSFT is there a document that states this? if so could you please point me to the document please.

If not, could you let me know how this can be officially documented?
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-10T12:01:03.81+00:00

@hemanth kumar battula

Greetings.

This is documented as an expected behavior as why certain ports would be open.

Refer : Why are certain ports opened on my virtual network gateway?

You can consider the confirmation from Azure Support Team as an official statement.

I would suggest you to raise a support incident and use the same as the official statement from Microsoft.

Again, VPN Gateway is a PaaS service and as such, some configuration will not be available to the customers unlike an IaaS service.

I have, however, submitted a work item to update the fact that NSGs cannot be associated to the GatewaySubnet here : Github issue #115804

Hope this helps.

Please consider Accepting the answer as it would benefit the wider community.

Cheers,

Kapil
hemanth kumar battula 20 Reputation points

2023-11-18T18:17:36.6+00:00

Hi @KapilAnanth-MSFT , Thank you for providing me the answer that customers cannot block ports on VPN gateway. But can you double confirm that the following ports cannot be blocked on azure VPN gateway please: 10001,10002,179,20000,8081,8082,8443. Looking forward for your reply. Thank you for the support.
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-11-20T12:12:13.8166667+00:00

@hemanth kumar battula

Yes, that is correct.

No port can be blocked on Azure VPN Gateway.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-06T04:32:35.68+00:00
@hemanth kumar battula

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to close the Port 20000 in your VNET Gateway.

Please note that certain ports required for Azure infrastructure communication.

They're protected (locked down) by Azure certificates.

Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints

The reason being that Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication.

We can assure you that the public endpoints are periodically scanned by Azure security audit

Refer : Why are certain ports opened on my virtual network gateway?

Also, wrt using NSGs,

When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet.

Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected

Refer : Azure GatewaySubnet Considerations

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

msrini-MSFT 9,276 Reputation points Microsoft Employee

2023-10-05T16:46:51.8166667+00:00

Hi, Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

How to deny traffic on port 20000 of the public IP address of VPN virtual network gateway in Azure

1 additional answer