question

DavidBeitler-2519 avatar image
0 Votes"
DavidBeitler-2519 asked SaiKishor-MSFT commented

Flow log oddity when a NIC has an Nsg, and is in a subnet with an Nsg

Trying to understand what should show up in my storage account regarding NSG rules and flow logs. It was my understanding that if you have a VM with a NIC attached Nsg, that is in a subnet with a subnet attached Nsg. Both rulesets apply. This does appear to be the case. Each Nsg has flowlogs turned on. But it seems that what they report is not as complete I believe it should be.

Example:
subnet rule set allows RDP, so does the NIC subnet. I would expect a flow log entry in each separate flow log. But that does not appear to be the case. The NIC flow log does not report on the RDP connections.
If I change the NIC subnet to block RDP, and attempt to connect, the connection is blocked, and the NIC Nsg does show the block, but that is all.
It almost looks like if something is approved by the subnet Nsg, the NIC Nsg does not log it
I see a lot of entries for the last hour in the Subnet Nsg, that relates to a particular server. I see nothing in the Nic Nsg except the RDP deny test.

Generally I prefer all my NSGs to be subnet, but have a couple of items that require one at the NIC level.

azure-virtual-network
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DavidBeitler-2519 Can you share a screenshot of how your rules are configured in the NIC NSG as well as the Subnet NSG for a specific traffic ex: RDP that you tested with?

0 Votes 0 ·

Can't share a screenshot.
But here is a rule that exists in both the Subnet and Nic NSGs

Priority Name Port Protocol Source Destination Action
120 Allow2Squid 3128 TCP Any 10.3.4.4 Allow

But only see related logs in the Subnet flowlog.
The only logged traffic I see in the NIC NSG logs is for a deny rule I have in place, blocking outbound 80,443 TCP to the Internet.

Another example is that both the Subnet and NSG allow 443/TCP out to AzureCloud. But is only logged in the Subnet Nsg flowlog.

0 Votes 0 ·

Added a rule to the end of the Outbound set for the NIC Nsg, blocking RDP.
That showed up in the Nic related flowlog.
It's almost as though, at least for the outbound set, that the "packet" does not get logged until it passes through both NSGs and if it matches anything in the subnet rule, that is where it gets logged.

0 Votes 0 ·

One last example:
In the Subnet NSG, I have a Inbound rule that allows access from another subnet to port 8500.
The exact same Inbound rule exists in the Nic NSG.
If I run a test connection, the Subnet Nsg records the attempt, but the Nic one does not.
If I change the Nic Nsg rule to a Deny, the Subnet Nsg (which still says Allow) does not record it, but the Nic Nsg does.

I presume there is a reason for this behavior. I would at least like to understand it.

0 Votes 0 ·

1 Answer

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered SaiKishor-MSFT commented

@DavidBeitler-2519 As per Network Security Group Flow Logging behavior, this is expected and as per design i.e.,

Note: Rules are of two types - terminating & non-terminating, each with different logging behaviors.
NSG Deny rules are terminating. The NSG denying the traffic will log it in Flow logs and processing in this case would stop after any NSG denies traffic.
NSG Allow rules are non-terminating, which means even if one NSG allows it, processing will continue to the next NSG. The last NSG allowing traffic will log the traffic to Flow logs.

Hope this helps. Please let us know if you have further questions/concerns. Thank you!
Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"The last NSG allowing traffic will log the traffic to Flow logs"

Thanks, that is what I suspected, just wanted it confirmed.

1 Vote 1 ·

Having said that. I do see a difference for inbound traffic. In that case, if the inbound traffic is allowed by both, then the subnet nsg still logs the traffic.
So what I see is this:
If both subnet and nic nsgs exist, traffic will only show up in the subnet flow logs, regardless of inbound or outbound. Only if the traffic is denied in the nic nsg, will it get logged in the nic flow logs regardless of direction.

0 Votes 0 ·

I need to look at what is going on in this environment more closely. I have another environment where it seems to be working as advertised. Where both inbound and outbound logs show what they are supposed to. The last Nsg is where the traffic is logged. I can see why it is not recommended to have both types of NSGs.

0 Votes 0 ·

@DavidBeitler-2519 Glad you got this figured out. Please let us know if you have other questions or concerns. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


0 Votes 0 ·