Azure Network Security Group don't Apply to an Internal Load Balancer
I have an Azure Internal Load Balancer with frontend address connected to a subnet.
I have a Azure Network Security Group that denies all inbound traffic to that subnet.
But the traffic still flows.
How do I restrict access to a load balancer from specific subnets?
Internal Load Balancer config
Virtual Network Connected Devices
Virtual Network Subnets
Subnet Network Security Group
Connection Test
Azure Virtual Network
Azure Load Balancer
-
JimmySalian-2011 41,926 Reputation points
2023-11-26T14:15:29.3366667+00:00 Hi,
In this case you can configure a NSG on their virtual network but not directly on the Load Balancer.Implement network security groups and only allow access to your application's trusted ports and IP address ranges. In cases where there is no network security group assigned to the backend subnet or NIC of the backend virtual machines, traffic will not be allowed to access these resources from the load balancer.
The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource.
Hope this helps.
JS
==
Please Accept the answer if the information helped you. This will help us and others in the community as well.
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-11-27T09:02:39.2633333+00:00 Hello @SplitKeyboard ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to restrict access to an internal load balancer from specific subnets.
As mentioned in the Azure Load Balancer algorithm document,
A response to an inbound flow is always a response from a virtual machine. When you successfully validate connectivity to a front end, you're validating the connectivity throughout to at least one back-end virtual machine.
So, to restrict access from specific subnets, you need to make sure that the VMs in the backend pool are restricted using NSGs. You can add a Deny All rule to the NSGs of the backend pool VMs from the specific subnets. Also, validate if you have NSG on both the VM's NIC and subnet and configure the access restrictions accordingly.
Regards,
Gita
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-11-29T10:39:05.5566667+00:00 Hello @SplitKeyboard ,
Could you please provide an update on this post?
Kindly let us know if the above helps or you need further assistance on this issue.
Regards,
Gita
-
SplitKeyboard 0 Reputation points
2023-11-30T06:51:18.2+00:00 Thanks for your response.
So, to restrict access from specific subnets, you need to make sure that the VMs in the backend pool are restricted using NSGs.
The problem is that backend has random ports managed by Azure Kubernetes Service (AKS).
So it's not clear what rules to apply on the backend side.
Have a look at a diagram attached:
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-11-30T15:52:54.4666667+00:00 Thank you for the update, @SplitKeyboard .
In terms of load balancer, I can say that the NSG has to be applied on the backend resource to allow/deny traffic but in terms of AKS, I would have to check with the AKS SMEs to find the desired configuration.
But as per the documentations,
To filter virtual network traffic flow, Azure uses network security group rules. These rules define the source and destination IP ranges, ports, and protocols allowed or denied access to resources. Default rules are created to allow TLS traffic to the Kubernetes API server. You create services with load balancers, port mappings, or ingress routes. AKS automatically modifies the network security group for traffic flow.
If you provide your own subnet for your AKS cluster (whether using Azure CNI or Kubenet), do not modify the NIC-level network security group managed by AKS. Instead, create more subnet-level network security groups to modify the flow of traffic. Make sure they don't interfere with necessary traffic managing the cluster, such as load balancer access, communication with the control plane, or egress.
Refer: https://learn.microsoft.com/en-us/azure/aks/concepts-security#azure-network-security-groups
https://learn.microsoft.com/en-us/azure/aks/concepts-network#network-security-groups
Could you please try to add the below rules to your AKS subnet NSG and test connectivity?
- Src
10.10.0.*
PortAny
--> DestAny
PortAny
ProtocolAny
--> Allow - Src
10.20.0.*
PortAny
--> DestAny
PortAny
ProtocolAny
--> Allow - Src
10.30.0.*
PortAny
--> DestAny
PortAny
ProtocolAny
--> Allow - Src
AzureLoadBalancer
PortAny
--> DestAny
PortAny
ProtocolAny
--> Allow - Src
Any
PortAny
--> DestAny
PortAny
ProtocolAny
---> Deny
Regards,
Gita
- Src
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-12-01T14:12:26.06+00:00 @SplitKeyboard , Could you please provide an update on this post and let me know if you tried adding the suggested NSG rules to your AKS subnet?
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-12-05T13:10:29.87+00:00 @SplitKeyboard , do you have any new updates on this post?
-
SplitKeyboard 0 Reputation points
2023-12-05T13:38:26.63+00:00 @GitaraniSharma-MSFT , thanks for reaching out. I saw your suggestion and actually I tried something like that before, but the results were not unambiguous so I decided to do a more thorough testing once I have some time for that.
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-12-05T14:34:56.8333333+00:00 Thank you for the update, @SplitKeyboard . Please keep me posted on your test results.
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-12-11T09:52:35.76+00:00 @SplitKeyboard , do you have any new updates on this issue?
-
GitaraniSharma-MSFT 48,016 Reputation points • Microsoft Employee
2023-12-14T12:25:18.1+00:00 @SplitKeyboard , could you please provide an update on this post?
Sign in to comment