Share via

Help to create NSG rule

Van Huy Tuyen 20 Reputation points
2025-04-03T04:26:07.83+00:00

Dear support team,

I create a NSG and see the default inbound rule: Allow VNET inbound

  • Priority: 65000
  • Name: AllowVnetInBound
  • Port: Any
  • Protocol: Any
  • Source: Virtual network
  • Destination: Virtual network
  • Action: Allow

As I know, this rule will allow all connection from other VNet (peering) and on-premises Network (S2S VPN).

But it's too large.

So I create 2 new inbound rules:

The first: Deny All VNet Inbound:

  • Priority: 200
  • Name: DENY_ALL
  • Port: Any
  • Protocol: Any
  • Source: Virtual network
  • Destination: Virtual network
  • Action: Deny

After the first rule: I can not connect to VNet from all on-premiese network or all other VNets. It's OK.

So the second, I create a new rule. I expect I can connect from a specific on-premiese network and a specific VNet.

  • Priority: 100
  • Name: Allow specific network
  • Port: Any
  • Protocol: Any
  • Source: 10.16.0.0/24
  • Destination: 10.150.0.0/24 (this is subnet on my VNet I want to control by NSG)
  • Action: Allow

But the second rule doesn't work. I still can not connect to my VNet.

It means that traffic from on-premiese network or other VNet don't go through second rule? Please help me to advise

Thank you!

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,762 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshukatara-6769 16,565 Reputation points Moderator
    2025-04-03T06:47:25.5133333+00:00

    Hello Van , Welcome to MS Q&A

    Why Your Configuration Fails

    • Rule 1: DENY_ALL (Priority: 200)
      • This rule blocks all inbound traffic within the VNet.
      • It also blocks communication across peered VNets.
      • However, this does NOT affect on-premises traffic because on-prem traffic comes via a GatewaySubnet, not as "Virtual Network".
    • Rule 2: Allow specific network (Priority: 100)
      • This rule is meant to allow on-premises traffic, but On-prem traffic does not match "Virtual Network" as a source in NSG rules.
        • The source must be your on-prem network range AND should match the correct route.
        • If traffic is coming via VPN Gateway, it does not hit the NSG on the subnet.

    Fixing the Issue

    1. Modify your allow rule to apply to on-premises traffic explicitly

    Example:

    Priority: 100
Name: Allow_OnPrem
Port: Any
Protocol: Any
Source: 192.168.1.0/24 (replace with your actual on-prem network range)
Destination: 10.150.0.0/24
Action: Allow
    1. Apply NSG to the Correct Subnet
      • Make sure the NSG is applied to the correct subnet of the VM you are trying to access.
    2. Verify UDR (User-Defined Route) Settings
      • If you have a UDR (User-Defined Route) applied to the subnet, ensure that the route for the on-prem network points to the VPN Gateway.
    3. Check Effective Security Rules
      • Use Azure Network Watcher → Effective Security Rules to see what rules are being applied.
    4. Check Peering Configuration (If Cross-VNet Communication is Needed)
      • If traffic is coming from another VNet, ensure that VNet peering is configured to allow forwarded traffic.

    Pleas check if it helps

    Let us know if have further ques

    Thanks
    Deepashu

    0 comments
  2. G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator
    2025-04-03T07:08:10.4933333+00:00

    Hi Van Huy Tuyen

    I understand that you need assistance with the NSG rule which allow your on-Prem network to destination Vnet.

    Default rule behavior: The default rule AllowVnetInBound (Priority 65000) allows all inbound traffic from the same VNet or peered VNets (via VNet peering)

    Refer:https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules

    First, may I ask if your scenario is in a hub and spoke topology?If yes, please update the rules as follows:

    Rule:1

    Priority: 100

    Name: Allow specific network

    Port: Any

    Protocol: Any

    Source: 10.16.0.0/24 (on-prem), <<add HUB VPN VNET CIDR>>

    Destination: 10.150.0.0/24

    Action: Allow

    Rule: 2

    Priority: 200

    Name: DENY_ALL

    Port: Any

    Protocol: Any

    Source: Virtual network

    Destination: Virtual network

    Action: Deny

    Also, please verify if another NSG has attached to the VM NIC that may block the traffic.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

    Note: - you would generally need to allow the Hub VNET network on the spoke VNET's NSG if the Hub and Spoke architecture requires communication between these VNETs. This often applies when the Hub VNET acts as a central point for shared services, such as DNS servers, VPN gateways, or application gateways.

    I hope this information help and let me know if you need any further assistance on this.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.