![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 20%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E14%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,461 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand you have question about restricting access to your Azure Resources from your on-prem which is connected Azure using S2S VPN.
I think the NSG rules should work in this scenario. From the 2nd post Site-to-Site VPN Subjects to NSG the NSG rules did not work because the customer there used Virtual Network Service tag which includes the on-prem private network as well. You can use the IP address spaces in the NSG to apply the required restrictions. As shown in the example below.
Assuming your on-prem private network is 172.16.0.0/24 then you can set up inbound NSG rule as below
Where Priority 110 allow the communication from on-prem( Source IP 172.16.0.0/24) if the destination IP address is 10.100.1.2, 10.100.2.2, 10.100.3.2
Another Priority 200 deny the communication from On-prem ( Source IP 172.16.0.0/24) where destination is any IP address.
As NSG Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren't processed.
In the example above when rule with priority 110 allows communication rule with priority 200 is not processed and the request is allowed.
A few points to consider here:
- Network security groups (NSGs) on the Azure VPN gateway subnet are not supported. Associating a network security group to this subnet might cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected.
- If you can use following tools to troubleshoot any NSG related connectivity issue:
- IP flow verify : It's a quick and simple tool to diagnose connectivity issues to or from other Azure resources, the internet and on-premises environment.
- NSG flow logs: It's vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who's connecting, and where users are connecting from.
Hope this helps! Please share screenshot of the NSG rules if the connectivity issue still persists. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.