How to deny traffic on port 20000 of the public IP address of VPN virtual network gateway in Azure

hemanth kumar battula 20 Reputation points
2023-10-05T14:12:37.8666667+00:00

I have a vpn virtual network gateway created with a site to site configuration.
I have a public ip Associated to the VPN gateway.
When I telnet to public IP one of the port 20000 i was able to connect on that port.
I want to deny traffic on that port for the public IP.

I tried NSG but did not work. Could some one help me which way i can achieve this.
Please try to provide as much info as possible rather than just telling one liners like to use Firewall etc.

Thanks in advance. I will reciprocate the same help to someone someday. Thank you.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,405 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,199 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee
    2023-10-06T04:32:35.68+00:00

    @hemanth kumar battula

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to close the Port 20000 in your VNET Gateway.

    Please note that certain ports required for Azure infrastructure communication.

    • They're protected (locked down) by Azure certificates.
    • Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints
    • The reason being that Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication.
    • We can assure you that the public endpoints are periodically scanned by Azure security audit

    Refer : Why are certain ports opened on my virtual network gateway?

    Also, wrt using NSGs,

    • When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet.
    • Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected
    • Refer : Azure GatewaySubnet Considerations

    Hope this helps.

    Thanks,

    Kapil


    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2023-10-05T16:46:51.8166667+00:00

    Hi, Azure VPN gateway is the PaaS offering and applying NSG on top of VPN gateway subnet can only filter Private traffic and you cannot currently block a port on VPN gateway's public IP.

    0 comments No comments