locked
Classic deployment - Endpoints and Network Security Groups - how do they co-exsist? RRS feed

  • Question

  • Hi,

    Hopefully a quick question.  I am playing with network security groups and I seem to be getting a few issues.  My topology:

    1x VM (Classic)

    1x Cloud service with reserved IP address (Classic)

    HTTP and HTTPS End Point configured.

    I want to apply NSG to the VM but from the "New" Portal I can only select the resource group (cloud service).  I create a NSG rule that limits HTTP from a specific source IP range to the cloud service.

    On testing I can connect from any IP range, the rule doesn't seem to be having an effect.  I had a thought that maybe the end point configuration was over ruling the NSG rule? I tried to remove the end point but I get an error because the cloud service has a reserved IP it must have at least one end point configured.

    I've had a troll around the Azure documentation and various forums but I can't find any information on how the classic end points and NSG co-exist with each other? Any links to articles or any help/thoughts gratefully received.

    Thanks

    Wednesday, February 10, 2016 9:06 PM

All replies

  • Hi,

    You should not have any issues with your endpoint unless you have an endpoint ACL.
    Endpoint-based ACLs and network security groups are not supported on the same VM instance.
    If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL, not the endpoint itself.

    For a classic deployment a NSG can be associated only with VMs or Subnets.
    You could refer the following link for details:
    https://azure.microsoft.com/en-in/documentation/articles/virtual-networks-nsg/

    Regards,
    Malar.

    Thursday, February 11, 2016 11:19 AM
  • Hi Malar

    Thank for the reply

    Am I getting confused here?  I am trying to achieve what End point ACLs give me but using NSGs instead.  By this I mean that I want to restrict the HTTP connectivity to a VM with a predefined set of IP addresses that are coming in from the internet.  Will NSGs allow me to do this or are NSGs only designed to work with the VNET infrastructure?

    I've created this rule in the NSG (assigned to a subnet) - I have removed the end point ACLs but I've left the end point to HTTP enabled



    This allowed the PC on the source IP to access the web site, however testing from another internet located PC I was also able to access the site...so this rule wasn't having any effect.  I was under the impression that NSGs work like most firewalls where access is denied unless permitted.  Just as an experiment I added a deny rule at the bottom of the list.

    Now I can't access the web site from any address on the internet...so the deny is working but the permit which is higher in the list still isn't working.

    Is there an issue that I am using a single IP? however the article you link about mentions a single IP.

    I am sure there is something i am missing but I can't see what......

    Thanks

    Rob

    Thursday, February 11, 2016 12:16 PM
  • Hi Rob,

      Did this get resolved? If not can you share the other rules in the NSG? NSGs work the way you describe, if you associate them to a subnet or a VM NIC, it denies all connections other the ones explicitly allowed.

    Thanks.

    Friday, August 26, 2016 1:56 PM
  • was your intention to only block port 80? 

    also make sure you keep the priorities correct. 

    Saturday, August 27, 2016 2:46 AM