Diagnose network security rules
You can use network security groups to filter and control inbound and outbound network traffic to and from your Azure resources. You can also use Azure Virtual Network Manager to apply admin security rules to your Azure resources to control network traffic.
In this article, you learn how to use Azure Network Watcher NSG diagnostics to check and troubleshoot security rules applied to your Azure traffic. NSG diagnostics checks if the traffic is allowed or denied by applied security rules.
The example in this article shows you how a misconfigured network security group can prevent you from using Azure Bastion to connect to a virtual machine.
Create a virtual network and a Bastion host
In this section, you create a virtual network with two subnets and an Azure Bastion host. The first subnet is used for the virtual machine, and the second subnet is used for the Bastion host. You also create a network security group and apply it to the first subnet.
In the search box at the top of the portal, enter virtual networks. Select Virtual networks in the search results.
Select + Create. In Create virtual network, enter or select the following values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select Create new. Enter myResourceGroup in Name. Select OK. Instance details Virtual network name Enter myVNet. Region Select (US) East US.
Select the Security tab, or select the Next button at the bottom of the page.
Under Azure Bastion, select Enable Azure Bastion and accept the default values:
Setting Value Azure Bastion host name myVNet-Bastion. Azure Bastion public IP Address (New) myVNet-bastion-publicIpAddress.
Select the IP Addresses tab, or select Next button at the bottom of the page.
Accept the default IP address space 10.0.0.0/16 and edit the default subnet by selecting the pencil icon. In the Edit subnet page, enter the following values:
Setting Value Subnet details Name Enter mySubnet. Security Network security group Select Create new. Enter mySubnet-nsg in Name. Select OK.
Select the Review + create.
Review the settings, and then select Create.
Hourly pricing starts from the moment Bastion host is deployed, regardless of outbound data usage. For more information, see Pricing. We recommend that you delete this resource once you've finished using it.
Create a virtual machine
In this section, you create a virtual machine and a network security group applied to its network interface.
In the search box at the top of the portal, enter virtual machines. Select Virtual machines in the search results.
Select + Create and then select Azure virtual machine.
In Create a virtual machine, enter or select the following values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVM. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2022 Datacenter: Azure Edition - x64 Gen2. Size Choose a size or leave the default setting. Administrator account Username Enter a username. Password Enter a password. Confirm password Reenter password.
Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select the following values:
Setting Value Network interface Virtual network Select myVNet. Subnet Select default. Public IP Select None. NIC network security group Select Basic. Public inbound ports Select None.
Select Review + create.
Review the settings, and then select Create.
Add a security rule to the network security group
In this section, you add a security rule to the network security group associated with the network interface of myVM. The rule denies any inbound traffic from the virtual network.
In the search box at the top of the portal, enter network security groups. Select Network security groups in the search results.
From the list of network security groups, select myVM-nsg.
Under Settings, select Inbound security rules.
Select + Add. In the Networking tab, enter or select the following values:
Setting Value Source Select Service Tag. Source service tag Select VirtualNetwork. Source port ranges Enter *. Destination Select Any. Service Select Custom. Destination port ranges Enter *. Protocol Select Any. Action Select Deny. Priority Enter 1000. Name Enter DenyVnetInBound.
The VirtualNetwork service tag represents the address space of the virtual network, all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. For more information, see Service tags.
Check security rules applied to a virtual machine traffic
Use NSG diagnostics to check the security rules applied to the traffic originated from the Bastion subnet to the virtual machine.
In the search box at the top of the portal, search for and select Network Watcher.
Under Network diagnostic tools, select NSG diagnostics.
On the NSG diagnostics page, enter or select the following values:
Setting Value Target resource Target resource type Select Virtual machine. Virtual machine Select myVM virtual machine. Traffic details Protocol Select TCP. Other available options are: Any, UDP and ICMP. Direction Select Inbound. Other available option is: Outbound. Source type Select IPv4 address/CIDR. Other available option is: Service Tag. IPv4 address/CIDR Enter 10.0.1.0/26, which is the IP address range of the Bastion subnet. Acceptable values are: single IP address, multiple IP addresses, single IP prefix, multiple IP prefixes. Destination IP address Leave the default of 10.0.0.4, which is the IP address of myVM. Destination port Enter * to include all ports.
Select Run NSG diagnostics to run the test. Once NSG diagnostics completes checking all security rules, it displays the result.
The result shows that there are three security rules assessed for the inbound connection from the Bastion subnet:
- GlobalRules: this security admin rule is applied at the virtual network level using Azure Virtual Network Manage. The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- mySubnet-nsg: this network security group is applied at the subnet level (subnet of the virtual machine). The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- myVM-nsg: this network security group is applied at the network interface (NIC) level. The rule denies inbound TCP traffic from the Bastion subnet to the virtual machine.
Select View details of myVM-nsg to see details about the security rules that this network security group has and which rule is denying the traffic.
In myVM-nsg network security group, the security rule DenyVnetInBound denies any traffic coming from the address space of VirtualNetwork service tag to the virtual machine. The Bastion host uses IP addresses from the address range: 10.0.1.0/26, which is included in VirtualNetwork service tag, to connect to the virtual machine. Therefore, the connection from the Bastion host is denied by the DenyVnetInBound security rule.
Add a security rule to allow traffic from the Bastion subnet
To connect to myVM using Azure Bastion, traffic from the Bastion subnet must be allowed by the network security group. To allow traffic from 10.0.1.0/26, add a security rule with a higher priority (lower priority number) than DenyVnetInBound rule or edit the DenyVnetInBound rule to allow traffic from the Bastion subnet.
You can add the security rule to the network security group from the Network Watcher page that showed you the details about the security rule denying the traffic to the virtual machine.
To add the security rule from within Network Watcher, select + Add security rule, and then enter or select the following values:
Setting Value Source Select IP Addresses. Source IP addresses/CIDR ranges Enter 10.0.1.0/26, which is the IP address range of the Bastion subnet. Source port ranges Enter *. Destination Select Any. Service Select Custom. Destination port ranges Enter *. Protocol Select Any. Action Select Allow. Priority Enter 900, which is higher priority than 1000 used for DenyVnetInBound rule. Name Enter AllowBastionConnections.
Select Recheck to run the diagnostic session again. The diagnostic session should now show that the traffic from the Bastion subnet is allowed.
The security rule AllowBastionConnections allows the traffic from any IP address in 10.0.1.0/26 to the virtual machine. Because the Bastion host uses IP addresses from 10.0.1.0/26, its connection to the virtual machine is allowed by the AllowBastionConnections security rule.
Clean up resources
When no longer needed, delete the resource group and all of the resources it contains:
In the search box at the top of the portal, enter myResourceGroup. Select myResourceGroup from the search results.
Select Delete resource group.
In Delete a resource group, enter myResourceGroup, and then select Delete.
Select Delete to confirm the deletion of the resource group and all its resources.
- To learn about other Network Watcher tools, see What is Azure Network Watcher?
- To learn how to troubleshoot virtual machine routing problems, see Diagnose a virtual machine network routing problem.