Doubt regardint these two default rules: AllowInternetOutBound and DenyAllOutBound

Question

Doubt regardint these two default rules: AllowInternetOutBound and DenyAllOutBound

Ariel Gonzalez 96

If my understanding is correct the first rule (AllowInternetOutBound) is the one that lets my internal resources communicate out to the internet. If the internet is pretty much anything out there and AllowVnetOutBound is allowing me to connect inside my Vnet, what is the second rule denying (DenyAllOutBound)? Is it non-routable addresses like link-local, multicast, etc?

Accepted answer

0 additional answers

Your answer

Answer 1

Tchimwa Sougang 946 Microsoft Employee

Hi @Ariel Gonzalez and thanks for your question. DenyAllOutBound means Denying all communication out to anywhere. So when that rule is hit, all outbound communication is actually blocked (it doesn't matter if the destination here is VNET or Internet, it will be blocked). That's why this is always the last rule with the highest priority. All rules rules created with lower priority will be hit before this one.

----------

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules

Ariel Gonzalez 96 Reputation points

2022-07-07T19:54:27.547+00:00

Hello @Tchimwa Sougang ,

Thank you for your answer, what could be an example of outbound traffic that doesn't match the first allow rules (VNET and Internet)?
Tchimwa Sougang 946 Reputation points Microsoft Employee

2022-07-07T22:40:29.567+00:00

@Ariel Gonzalez That will be traffic going to another VNET beside of your current VNET or going to specific location like your network on-premises if you're using VPN. It is all the traffic with a destination other than within the VNET or Internet.

Please do not forget to "Accept the answer" if it provide you with the information you needed.

Share via

Doubt regardint these two default rules: AllowInternetOutBound and DenyAllOutBound

0 additional answers

Your answer