Share via

How the network security rules are processed?

Ravikiran S 116 Reputation points
2021-05-19T07:52:50.92+00:00

I have these inbound security rules for my VM.
Priority 1005: Allows RDP connections from Azure Bastion. Bastion's public IP is 52.191.87.53
Priority 1010: Denies RDP connections from the VNet.

97794-nsg-qna.png

As per my understanding, rule 1005 should be processed (higher priority compared to 1010), and I should be able to access VM via Bastion. But, still, the RDP connection is denied.

The MS document says this:

"Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed."

This indicates that rule 1010 is processed. I am not able to understand why

97821-nsg-qna.png

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
263 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,472 questions
0 comments
Accepted answer
  1. Andreas Baumgarten 110.2K Reputation points MVP
    2021-05-19T08:16:34.127+00:00

    Hi @Ravikiran S ,

    Azure Bastion will not connect via public IP (52.191.87.53) to the VMs. Bastion is using a dedicated AzureBastionSubnet for communication with the Azure VMs.
    https://zcusa.951200.xyz/en-us/azure/bastion/bastion-nsg

    The Security Rule in your NSG should not configured with the 52.191.87.53 as source. Instead you could use the AzureBastionSubnet IP address range as source. This is the recommendation form Microsoft as well: https://zcusa.951200.xyz/en-us/azure/bastion/bastion-nsg#target-vm-subnet

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.