Network Rule for access without VPN

Question

I am facing an issue with accessing my Azure-hosted application. Here are the details:

I have created an application on an Azure VM.

The VM has the following IP addresses:

Public IP: x.x.x.x

Private IP: 10.10.1.7

I have mapped my DNS to the public IP (x.x.x.x).

Inbound network rules on the VM’s Network Security Group (NSG) with ASG are configured as shown below:

What I have verified so far:

Using nslookup, the DNS resolves correctly to the public IP.

Despite this, the application is only accessible when connected via VPN. Access from outside the VPN does not work.

Answer 1

Hi Mihiran Priyankara,

Welcome to Microsoft Q&A and thank you for you posting your query here!

If your Azure-hosted application is only accessible from within your VPN, but not from public networks, even though DNS resolves correctly, it's likely due to how your Network Security Group (NSG) rules are set. Here’s how you can fix it and safely enable public access:

Step 1: Check If the Application Runs as Expected:

• First, ensure the app itself is running on the Azure VM and listening on the right port.
• Log in to the VM and open a browser or relevant client, then try localhost:PORT (replace PORT with what your application uses, like 80 or 443).
• If it works locally, move to network rule checks.

Refer: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/troubleshoot-app-connection

Step 2: Review Your NSG Rules:

• In the Azure Portal, go to your VM and select the “Networking” blade.
• Find the attached Network Security Group (NSG).
• Look at the Inbound Rules: Is there an “Allow” rule for your application port (for example, 80/443) that allows source “Any” or the public IPs you want? Or does it only allow your private network/subnet or VPN’s address space?
• If there’s no rule that allows external sources, public users can’t reach the VM—hence, VPN-only access

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-vm-connectivity

Step 3: Add or Adjust an Inbound Rule for Public Access:

• In your NSG’s “Inbound security rules,” click Add:
  • Source: Any (for full public access), or restrict this to known safe IP ranges.
  • Source port ranges: *
  • Destination: The virtual machine or NIC.
  • Destination port ranges: Your app’s listening port (e.g., 80, 443).
  • Protocol: TCP.
  • Action: Allow.
  • Priority: Lower than any generic deny rule but higher than less-specific rules (e.g., 100-400).
• Save and apply the rule.

Step 4: Check for Conflicting Deny Rules:

• NSG rules are processed in order of priority (lowest first).
• Make sure no higher-priority “Deny” rules block public access to your app’s port before your new rule is evaluated.​

Step 5: Confirm the VM’s Public IP Setup:

• In the VM’s “Overview” blade, verify it’s assigned the correct public IP.
• Double-check that your DNS is mapped to this public IP, which you confirmed with nslookup.

Step 6: Use Azure Network Watcher (Recommended):

• Open Network Watcher and use the “IP Flow Verify” tool to simulate and check if your NSG rules permit traffic from the public internet to your VM on the application port: Diagnose network security rules.
• This can quickly show if your NSG is blocking or allowing the necessary traffic.

Step 7: Test from an Outside Network:

• After changing your NSG, try accessing the application from a public internet connection (not VPN) to confirm that it works.

For security, only allow the required ports, and whenever possible, restrict public access to trusted IP addresses instead of Any.​

Hope this helps! If you have any questions, please feel free to ask.

If the provided information answers your query, do click "Upvote" and "Accept Answer", it will help others who might be facing similar challenges.

Thanks,

Harish.