Question on NSG rule ->AllowInternetOutBound

Question

I have some questions on the below NSG outbound rules and need help

65001 AllowInternetOutBound Any Any Any Internet Allow
•
65500 DenyAllOutBound Any Any Any Any Deny

a) 65001 says that if your source is 0.0.0.0/0 and sending a communication to Internet it should be allowed . Am i correct ? The question i have here is : How the machine takes a call that the traffic is indeed for internet and that Outbound Rule has to come to play ? My understanding is it checks the Ip and says Hey this does not belongs to this subnet and it should be routed to internet .

b) 65500 Any port to any port source and destination is denied .

Why i am asking this question is because :

I created 2 VM's one in Central US and the other in West US. Different subnets and same NSG configuration with port 80 being allowed for Inbound Rules.. When i run network watcher Ip flow verify for inbound between VM1 and VM2 on port 80 it is successfull as inbound is allowed .

But if i do a Outbound check for source VM1 and source VM2 on port 80 i fail

Access denied
Security rule
DenyAllOutBound

Questions 2 : If i have an azure VM and i need to do a telnet or reach an application on an onpremise VM which is listening on PORT 80 ..

Is that i have to allow port80 in outbound rules ? What i am finding is that when i do a telnet <onpremiseVMname> 80 from Azure VM i am able to connect . That tells me that it is going via the internet . Am i correct ?AllowInternetOutBound is followed in this case.

I have just confused here that : If i create 2 VMs in azure in two different locations .. and then do a outbound test with network watcher Ipflow verify on port 80 it fails but if i do a telnet to my on premise VM from azure VM it connects to port 80 Why ?????

Answer 1

Hi,

The NSGs in Azure are Stateful. Meaning that if you open an incoming port, the outgoing port will be open automatically to allow the traffic when needed. The default rules in a Network Security Group allow for outbound access and inbound access is denied by default.

I guess the IP flow is failing due to destinationAddressPrefix. The rule denies the outbound communication to your IP(x.x), because the address is not within the destinationAddressPrefix of any of the other default outbound rules to internet. But telnet seems to accept it

To isolate this issue,, you could add a security rule with a higher priority, that allows outbound traffic to port 80 at specific IP and try the IP flow.

Answer 2

@kumar kaushal , In Azure, NSG's are proactive in learning to and fro flows. You may not create two security rules with the same priority and direction. A flow record is created for existing connections.
Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful.
If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

Do provide your NSG rule SS for providing better insights. Also, there should not be any issue with traffic flows if you have an NSG like specified below,

Note: Make sure you have this rule unaltered in the outbound rule section,

65001 AllowInternetOutBound Any Any Any Internet Allow

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 3

Thank you @suvasara-MSFT and @Devaraj G ....

If i read the below article from Microsoft

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

If i look at the below article it clearly says that unless you specify port deny to port 80 it is allowed by the AllowInternetoutbound . And i see that if i do a TELNET www.google.com 80 it makes a connection .

Outbound traffic
For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

VM1: The security rules in NSG2 are processed. Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. The rules in NSG1 are processed.
VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

So the question i have here is :

1) How does machine takes a call that yes i need to make a connection on port 80 and i have to go over internet and i have to make use of rule AllowInternetOutBound?
2)When i create a VM in two different subnets in 2 different regions why Telnet does not work because when i create VM's in 2 different regions and their is no connectivity does it not imply that any communication that i want to make between machines it will go over internet ?