vnet to vnet NSG entry

grajee 346 Reputation points


I setup Azure Databricks on my subscription and it is working. However, I'm trying to understand networking aspects of it better. Below is a screenshot of the NSG and I have a question.

For the Inbound Security Rules, the 100 row has source and destination has VirtualNetwork. Does this mean an inbound connectivity from a VNet that is from a foreign subscription is also allowed? Or is the VirtualNetwork to VirtualNetwork only from vnets within the subscription?



Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,250 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,031 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andreas Baumgarten 100.8K Reputation points MVP

    Hi @grajee ,

    in NSG Security Rules the VirtualNetwork is a service tag. The definition of this service tag and the scope of VirtualNetwork is explained here:

    The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. This tag might also contain default routes.

    If you have a defined VNet peering with another foreign subscription this foreign vNet is in scope of the NSG service tag VirtualNetwork. It doesn't matter if the VNet is part of the own or foreign subscription as long it is defined/configured. Even on-premises network IP ranges can be part or the VirtualNetwork if they are connected.


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Andreas Baumgarten

    1 person found this answer helpful.