Test failover doesn't work as expected.

Question

While performing a test failover in ASR, I can't visit the published HTTP test website and RDP to the new VM created during the test failover activity. When troubleshooting I noticed the NSGs were missing in the associated NIC. Then I was trying to add the required rules in the NSG but it says "This network interface does not contain network security groups" message and not allowing to create the NSGs. Kindly let us know how I can perform the failover and use the services as expected. Also be noted the public IP address has been assigned to the NIC as well.

Answer 1

You'll need to create an NSG firstly, then associate the network security group to the subnet of that virtual network where the ASR replica VM is associated to.

Once you've got your NSG created, you can create a rule to allow port 80 from your source IP (hopefully just your own public IP for testing purposes) and the destination IP being the private IP of the VM NIC. Repeat for port 3389, however I must stress both can only be for testing purposes and you should make sure the source IP is your own public IP and that you remove this when done testing.

However, I'd advise strongly looking into the cloud adoption framework to understand how to secure the workloads from the edge:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-virtual-machine-remote-access

The likes of Azure Bastion enabled in the region where your VMs are located will secure RDP by giving you a native and secure RDP mechanism that doesn't expose your VM to the internet.

And app/web cloud adoption readiness:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery

Hope this helps, if it does please mark the answer as accepted.