Maybe incorrect information in unit "Determine network security group effective rules" in " Configure network security groups"

Question

Maybe incorrect information in unit "Determine network security group effective rules" in " Configure network security groups"

Abd Alrifai 20

In the Unit "Determine network security group effective rules" in Module "Configure network security groups" The first table describes how Azure evaluates each NSG configuration to determine the effective security rules. In the "Vm 4" row, it says under inbound rules: "Azure default rules apply to both subnet and NIC and all inbound traffic is allowed" The issue I am seeing is that it says "all inbound traffic is allowed", but if you go back one unit The unit says under "Inbound traffic rules" that only Vnet inbound traffic and load balancer inbound traffic is allowed and everything else is denied. So I think the cell referenced earlier should say "Azure default rules apply to both subnet and NIC and only Vnet and load balancer inbound traffic is allowed", please correct me if I am wrong.

Also in the same unit under "Inbound traffic effective rules" in the second bullet point "NSG inbound rules for a subnet in a VM take precedence over NSG inbound rules for a NIC in the same VM." it should say: "NSG inbound rules for a subnet in a VN take precedence over NSG inbound rules for a NIC in the same VN." also please advise :).

Thanks.

Accepted answer

0 additional answers

Your answer

Answer 1

Rakesh Gurram 15,700 Microsoft External Staff Moderator

Hi Abd Alrifai,

Thanks for reaching out to us on Microsoft Q&A forum.

As per Unit-4, In the "Determine network security group effective rules" unit, under the "VM 4" row, it states: Azure default rules apply to both subnet and NIC, and all inbound traffic is allowed is valid as per the scenario below:

User's image

The provided screenshot explicitly indicates that for VM4, in accordance with the documentation, the Network Security Group (NSG) was not set up for subnet 3 and NIC. Consequently, the Azure default rules are enforced for both the subnet and Network Interface Card (NIC) associated with VM4, allowing unrestricted inbound and outbound traffic.

As per Unit-3 In the "Determine network security group rules" unit, under "Inbound traffic rules," it mentions that only Vnet inbound traffic and load balancer inbound traffic is allowed, and everything else is denied is valid as per the scenario.

Scenario: - In Azure, when you create a Network Security Group (NSG), three default inbound security rules are established. These rules are designed to block all incoming traffic by default, except for the traffic originating from your virtual network and Azure load balancers.

As per Unit-4, In the "Determine network security group effective rules" under section "Inbound traffic effective rules" the statement "NSG inbound rules for a subnet in a VM take precedence over NSG inbound rules for a NIC in the same VM" is valid as per the screenshot below.

User's image

If the information is helpful, please accept the answer by clicking the "Accept Answer" on the post. If you are still facing any issue, please let us know in the comments. We are glad to help you.

Thank you.

Rakesh Gurram 15,700 Reputation points Microsoft External Staff Moderator

2024-01-05T04:46:52.6+00:00

Hi Abd Alrifai,

Just checking in to see if you had a chance to see the previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.
Rakesh Gurram 15,700 Reputation points Microsoft External Staff Moderator

2024-01-06T00:46:36.56+00:00

Hi Abd Alrifai,

Just checking in to see if you had a chance to see the previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.
Abd Alrifai 20 Reputation points

2024-01-06T10:33:54.7933333+00:00

Thank you for the answer Rakesh. You said: "Consequently, the Azure default rules are enforced for both the subnet and Network Interface Card (NIC) associated with VM4, allowing unrestricted inbound and outbound traffic.", since the Azure default rules will allow only Vnet inbound traffic and load balancer inbound traffic and everything else is denied, then the inbound traffic to VM4 will not be "unrestricted", only the Vnet inbound traffic and load balancer inbound traffic will reach VM4. My statement is backed by this document which describes the same exact scenario, notice what it says under VM4: "All network traffic is blocked".

About Unit 3, there is nothing wrong with it, I just used it in the original question as a reference.

About this statement in Unit 4: "NSG inbound rules for a subnet in a VM take precedence over NSG inbound rules for a NIC in the same VM." notice that it says VM (Virtual Machine), which I think is a typo and it should be VN (Virtual Network).
Rakesh Gurram 15,700 Reputation points Microsoft External Staff Moderator

2024-01-07T14:36:27.1733333+00:00

Hi Abd Alrifai,

As per Unit-4, In the "Determine network security group effective rules" under section "Inbound traffic effective rules" the statement "NSG inbound rules for a subnet in a VM take precedence over NSG inbound rules for a NIC in the same VM" is valid and there is no typo error.

While creating a VM a Vnet is required, but Vnet doesn't provide any opportunity to create VMs, that is why we use subnets in VN to create VMs.

NSG is attached to subnets, whatever the NSG rules we added to subnets those NSG rules are applied to only VMs but not to VN.

Inbound traffic effective rules:
Azure processes rules for inbound traffic for all VMs in the configuration. Azure identifies if the VMs are members of an NSG, and if they have an associated subnet or NIC. Azure evaluates each NSG configuration to determine the effective security rules.

Network security groups are defined for your virtual machines which are placed in a subnet that is placed in a Virtual Network in the Azure portal.

As per Unit-4, In the "Determine network security group effective rules" unit, under the "VM 4" row, it states: Azure default rules apply to both subnet and NIC, and all inbound traffic is allowed is valid as per the scenario given below and attached as a screenshot provided from the link for reference.

Scenario: If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere.

https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem

Also, we can see from the below link, that the scenario what we explained is applicable for VM4 as given below:

https://learn.microsoft.com/en-us/training/modules/filter-network-traffic-network-security-group-using-azure-portal/4-create-network-security-group

VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet 3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

If you are still facing any issue, please let us know in the comments. We are glad to help you.

Thank you.
Rakesh Gurram 15,700 Reputation points Microsoft External Staff Moderator

2024-01-08T16:36:13.7166667+00:00

Hi Abd Alrifai,

Just checking in to see if you had a chance to see the previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.
Rakesh Gurram 15,700 Reputation points Microsoft External Staff Moderator

2024-01-09T11:06:34.7066667+00:00

Hi Abd Alrifai,

Just checking in to see if you had a chance to see the previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.

Share via

Maybe incorrect information in unit "Determine network security group effective rules" in " Configure network security groups"

0 additional answers

Your answer