Inbound and Outbound NSG rules

asked 2020-05-28T15:30:45.39+00:00
Fuzzy Prototype 1 Reputation point

Hi, I am using the Same NSG for 2 subnets, Subnet 1 has VM1, Subnet 2 has VM2. VM2 to VM1 outbound rule is by allowed by default NSG rule. I have created a custom rule which denies packets from VM2 to VM1 over http.

Here are the images of network watcher -

8823-vm2-to-vm1-outbound.png

8841-vm2-to-vm1-inbound-vm1-inbound.png

so, does vm2 send packets to vm1 and does vm1 accepts the packets from vm2? please help me understand this.

Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
107 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-05-28T18:25:36.86+00:00
    Birendra Singh 181 Reputation points

    NO i guess you made role Allowed http 10.0.1.5 to 10.0.0.5 "Subnet"

    but traffic blocked 10.0.0.5 to 10.0.1.5 "Subnet"

    might be default role still there on 10.0.0.1 Subnet

    No comments

  2. answered 2020-06-09T05:09:24.053+00:00
    TravisCragg-MSFT 5,626 Reputation points Microsoft Employee

    What you are seeing is correct, and let me explain why.

    NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.

    Based upon what you have shown above. VM2 can establish a TCP connection on port 80 with VM1, but VM1 cannot establish a TCP connection on port 80 with VM2. When broken down further -> VM2 can view a website hosted on VM1, but VM1 cannot view a website hosted on VM2.

    If you would like to block traffic between the VMs, you will need to deny both inbound and outbound traffic between the VMs.

    No comments