'Azure Network Security Groups not working? (attached to subnet)
I am trying to secure some subnets in a virtual network.
I have Virtual Network 1 with Subnets A, B, C.
I have a VM in each subnet with default endpoints (RDP and WinRM).
I used the following commands to create and attach the Network Security Group to subnet C:
$SGName = 'SecurityGroupC'
$location = 'West US'
$virtualNetwork = '1'
$subnet = 'C'
New-AzureNetworkSecurityGroup -Name $SGName -Location $Location -Label $SGName
Get-AzureNetworkSecurityGroup -Name $SGName | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $VirtualNetwork -SubnetName $Subnet
I can see the default rules by running:
Get-AzureNetworkSecurityGroup -Name $SGName -Detailed
Which shows the expected default rules:
Name : SecurityGroupC
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * * *
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * * *
Type: Outbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET OUTBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW INTERNET 65001 Allow * * INTERNET * *
OUTBOUND
DENY ALL OUTBOUND 65500 Deny * * * * *
Based on these rules my RDP endpoint on my VM in subnet C should stop working. However I am still able to RDP directly to my VM from the internet. Is there something I am missing?
Solution 1:[1]
When you create a VM it will create a RDP endpoint automatically. It appears that this setting overrides your Network Security Group values.
I usually add an ACL to it "0.0.0.0/0" "DENY" so I can re-enable it if I need to.
Solution 2:[2]
Per the function of Network Security Groups: "Network security groups are different than endpoint-based ACLs. Endpoint ACLs work only on the public port that is exposed through the Input endpoint. An NSG works on one or more VM instances and controls all the traffic that is inbound and outbound on the VM." The first inbound rule = "ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * "
This allows all traffic inside to the virtual machine. Since there is no endpoint ACL on the VM and that RDP endpoint is enabled, then traffic can get to the VM.
Update: You are correct. It should not allow RDP access. As per this link under FAQ: http://azure.microsoft.com/blog/2014/11/04/network-security-groups/
4. I have defined RDP endpoint for my VM and I am using a Network Security Group do I need a Access control rule to connect to the RDP port from Internet? Yes, the default rules in Network Security Group does not allow access to any port from Internet, the users have to create a specific rule to allow RDP traffic.
Solution 3:[3]
I have just found the same thing. I also found that deleting and recreating the endpoint then allows the NSG to function as expected, i.e. it seems that if the NSG is created/linked after the endpoint, it doesn't work but if the NSG is done first, it does!
Solution 4:[4]
You have to apply the changes, that's why you're not getting the expected behaviour:
Set-AzureRmVirtualNetwork -VirtualNetwork $virtualNetwork
Hope this helps!
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | |
| Solution 3 | www.expertsinpublic.cloud |
| Solution 4 | Pedro Perez |