NSG DenyInternetOutBound on VM with azure-ad MFA login

Guido Jeuken 71 Reputation points
2020-04-15T20:41:17.693+00:00

Hello, everyone,

we have three SQl servers in Azure and a VM to be used for SQL management.
The SQL servers are set up with Azure AD authentication, the SQL admins are forced to use MFA.
7334-2020-04-15-2.png
In the VM the SQL Server Management Studio is installed and the access works well.
Now I want to protect the VM with a NSG that prevents access to the internet.
I have created an NSG which is bound to the subnet
If I now make a DenyInternetOutBound rule, I can no longer access the SQL servers.The login does not work anymore, the login page does not appear.
AzureADAllow, AzureCloudAllow and SqlWestEuropeAllow roules are configured
7335-2020-04-15.png

Does anyone know how I can use denyinternet rule with ad login with MFA?

thanks
Guido

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,115 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vahid Ghafarpour 17,870 Reputation points
    2023-08-26T05:36:05.15+00:00

    In your case, you've created an NSG rule that denies outbound internet access. However, this might also inadvertently block necessary communication for your SQL Server. SQL Server Management Studio (SSMS) uses various protocols and ports for connectivity, and these rules might not be allowed by default in the NSG.

    0 comments