Question 185174 in Azure Question posted in
The official documentation to get you started can be found here.

Does an NSG rule need to be present in both SUBNET and NIC to allow connections Azure

Just trying to wrap my head around how NSG rules work when there are rules on a subnet and a NIC, so for the following scenario:

We have a machine vm1 with a NIC NIC1 whch is inside a subnet subnet1.

Subnet1 Has an NSG with the default allow/deny rules, and also a rule to allow incoming SSH on port 22

NIC Has an NSG with the default allow/deny rules, and no additional rules.

You attempt to SSH into VM1, will it be allowed?

My understanding is this connection is not allowed, as the NSG for subnet1 is first evaluated which allows the connection, but then the NSG on NIC1 only has the default rules which would include DenyAll, because the NSG on NIC1 does not have an allow for SSH on port 22 it will be blocked

Tags:

2

Answers


  1. 0

    Yes that is correct. The connection will not be allowed in your scenario. This Microsoft documentation clearly explains this scenario as well.

    Refer to the diagram below:

    enter image description here

    And the explanation from Microsoft:

    VM1: The security rules in NSG1 are processed, since it’s associated to Subnet1 and VM1 is in Subnet1. Unless you’ve created a rule that allows port 80 inbound, the DenyAllInbound default security rule denies the traffic. The traffic doesn’t get evaluated by NSG2 because it’s associated with the network interface. If NSG1 allows port 80 in its security rule, NSG2 processes the traffic. To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.

    Login or Signup to reply.
  2. 0

    Access should be blocked on your scenario. Bear in mind that Microsoft recommends to have NSG either applied on the subnet or NIC for simplified management.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search