Flow log oddity when a NIC has an Nsg, and is in a subnet with an Nsg

David Beitler 31 Reputation points
2021-10-21T20:04:14.917+00:00

Trying to understand what should show up in my storage account regarding NSG rules and flow logs. It was my understanding that if you have a VM with a NIC attached Nsg, that is in a subnet with a subnet attached Nsg. Both rulesets apply. This does appear to be the case. Each Nsg has flowlogs turned on. But it seems that what they report is not as complete I believe it should be.

Example:
subnet rule set allows RDP, so does the NIC subnet. I would expect a flow log entry in each separate flow log. But that does not appear to be the case. The NIC flow log does not report on the RDP connections.
If I change the NIC subnet to block RDP, and attempt to connect, the connection is blocked, and the NIC Nsg does show the block, but that is all.
It almost looks like if something is approved by the subnet Nsg, the NIC Nsg does not log it
I see a lot of entries for the last hour in the Subnet Nsg, that relates to a particular server. I see nothing in the Nic Nsg except the RDP deny test.

Generally I prefer all my NSGs to be subnet, but have a couple of items that require one at the NIC level.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,159 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,196 Reputation points
    2021-10-28T06:06:49.143+00:00

    @David Beitler As per Network Security Group Flow Logging behavior, this is expected and as per design i.e.,

    Note: Rules are of two types - terminating & non-terminating, each with different logging behaviors.
    NSG Deny rules are terminating. The NSG denying the traffic will log it in Flow logs and processing in this case would stop after any NSG denies traffic.
    NSG Allow rules are non-terminating, which means even if one NSG allows it, processing will continue to the next NSG. The last NSG allowing traffic will log the traffic to Flow logs.

    Hope this helps. Please let us know if you have further questions/concerns. Thank you!
    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.