Inbound IP Rules on NSGs when 3rd Octet changes

Matt Suderman 20

We have a series of VMs being accessed by contractors. In order to create some inbound security, we have Inbound RDP rules on the NSG based on IP.

We use xxx.xxx.xxx.0/24 to handle situations where the 4th octet changes from day to day. However, we have one contractor where the 3rd Octet seems to change. I've searched all over and can't find and example of how to handle this situation.

Thanks for any guidance.

Luis Arias 8,621 Reputation points Volunteer Moderator

2024-03-08T22:12:20.18+00:00

Hello Matt Suderman , did you already try adding an accord network CIDR in 3rd Octet (/16/23) in order to capture all the posibilities?. On the other hand how are you creating the NSG rules , if there is any logic to identify which network will changes can be implemented by Bicep or terraform.

Let me know your answer.
Matt Suderman 20 Reputation points

2024-03-12T23:47:57.36+00:00

I'm doing an Inbound Security Rule using RDP Allow.

I have a couple users where the 3rd octet seems to fluctuate so I

xxx.226.xx0.0/24,

xxx.226.xx3.0/24,

xxx.226.xx1.0/24

xxx.94.189.158,

What I want to do is xxx.226.0/24.0/24 But I'm not sure if that will work.

Accepted answer

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2024-03-14T13:21:13.3333333+00:00
@Matt Suderman ,

Your example is misleading.

With the below,

xxx.226.xx0.0/24, xxx.226.xx3.0/24, xxx.226.xx1.0/24

I can see the 3rd Octet changing.

For this, you have to specify the NSG rule as xxx.226.0.0/16

However, with

xxx.94.189.158

Even the second octet changes (here it is 94)

In these cases, you should use xxx.0.0.0/8

Or if this is only one IP with a different second octet, you can simply create a new Allow rule with xxx.94.189.158/32 (allow single IP)

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil
Please sign in to rate this answer.
Matt Suderman 20 Reputation points

2024-03-14T14:02:38.8233333+00:00

my apologies...and thank you for your assistance.

So, lets say my user is reporting IP ranges

123.456.102.45

123.456.102.86

123.456.87.21

123.456.87.23

123.456.97.104

Would this rule let them in?

123.456.0.0/24

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2024-03-14T14:06:16.9166667+00:00

@Matt Suderman ,

For this range, you should use 123.456.0.0/16.

/8 means first octet fixed (in your case 123)

/16 means first two octet fixed (in your case 123.456)

/24 means first three octet fixed. In your case

A) 123.456.87.21 and 123.456.87.23 would come under 123.456.87.0/24

and

B) 123.456.102.45 and 123.456.102.86 would come under 123.456.102.0/24

Hope this helps. Cheers,

Kapil

Matt Suderman 20 Reputation points

2024-03-15T14:26:18.67+00:00

This is what I needed....

THANK YOU!

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2024-03-15T17:17:56.7266667+00:00

@Matt Suderman ,

Glad we could be of help.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

0 additional answers

Your answer