locked
How to open a Custom Port in Network Security Groups (Resource Manager)? RRS feed

  • Question

  • We've been using the "Classic" Azure for some time now, I'm looking into getting the next generation of our IaaS applications running in the Resource Manager.

    I've got a set of machines set up Web Server / Application Server > SQL Server setup and the Webs site connecting through successfully, the Network Security Group for the Web Server is associated with the NIC on the VM, HTTP and HTTPS ports open plus an Application Gateway for the RDP are all working OK.

    I now need to get a specific custom port (57070) open to allow an application to connect to the set up and I don't seem to be able to get the port open in the NSG.

    On the Classic Endpoints version I've got Protocol TCP /Public Port 57070 /Private Port 57070 this works fine and I can Telnet to that port using the IP Address of the VM, I can also set an ACL of IP Addresses that are permitted to connect.

    On the Resource Manager version I can Telnet to Ports 80 & 443 OK but using Source = Any / Protocol =TCP / Source Port Range 57070 / Destination Port Range 57070 I can't Telnet to Port 57070, If I set the Source Port Range to * then I can Telnet to the Port but doesn't that mean I've got all the Ports open?

    Is there a guide anywhere that gives a comparison between the setup for the Classic Endpoint and the RM NSGs I'm also looking for more information on how to lock connections down to specific (public) IP Addresses!

    THANKS

     


    JBF



    • Edited by jbf1959 Wednesday, August 16, 2017 4:09 PM
    Wednesday, August 16, 2017 4:06 PM

Answers

  • Source port does not mean all ports are open.

    They are stateless connections, only the destination port is opened.

    When locking down to specific addresses, unless they are in a range, you will need to create multiple rules for each individual address, specifying the source IP range as the individual IP.

    Joe

    • Marked as answer by jbf1959 Thursday, August 17, 2017 7:37 AM
    Wednesday, August 16, 2017 4:11 PM
  • Hello

    When Source port range set to '*' ,it menas to allow traffic from clients connecting from any port. And this is defaultly configuration.

    So, I think when you test the port , the triffic from your client is not just from 57070.

    Also, Setting the Source port range to '*' doesn't mean you have opened all ports. Because the Destination port range can  allow or deny traffic to your VM. 

    More about NSG, you can refer to this link Filter network traffic with network security groups.

    More about locking connections down to specifict IP ,you can refer to this link Lock down access to Azure VM to specific IP



    • Edited by Wayne.Yang Thursday, August 17, 2017 2:47 AM
    • Marked as answer by jbf1959 Thursday, August 17, 2017 7:34 AM
    Thursday, August 17, 2017 2:46 AM

All replies

  • Source port does not mean all ports are open.

    They are stateless connections, only the destination port is opened.

    When locking down to specific addresses, unless they are in a range, you will need to create multiple rules for each individual address, specifying the source IP range as the individual IP.

    Joe

    • Marked as answer by jbf1959 Thursday, August 17, 2017 7:37 AM
    Wednesday, August 16, 2017 4:11 PM
  • Hello

    When Source port range set to '*' ,it menas to allow traffic from clients connecting from any port. And this is defaultly configuration.

    So, I think when you test the port , the triffic from your client is not just from 57070.

    Also, Setting the Source port range to '*' doesn't mean you have opened all ports. Because the Destination port range can  allow or deny traffic to your VM. 

    More about NSG, you can refer to this link Filter network traffic with network security groups.

    More about locking connections down to specifict IP ,you can refer to this link Lock down access to Azure VM to specific IP



    • Edited by Wayne.Yang Thursday, August 17, 2017 2:47 AM
    • Marked as answer by jbf1959 Thursday, August 17, 2017 7:34 AM
    Thursday, August 17, 2017 2:46 AM