2

I have added a new VM to a Subnet that has no NSG assigned to. I have a NSG where I have added rules to allow 3389 (RDP) port, but I did not associate this NSG to either the Subnet or the VM n/w interface. But still I am able to RDP into it and am also being able to reach the web server. Basically n/w traffic to port 80 and 3389 is going through.

How come this can happen, when there is no NSG assigned. Does n/w interface of the VM allow this traffic by default? If so where can I find the allowed rules and how can I restrich such a traffic?

Mostafiz Rahman
  • 8,169
  • 7
  • 57
  • 74
bitsandbytes
  • 33
  • 1
  • 3

2 Answers2

6

Yes, with no NSG around nothing is being blocked (imagine NSG is a firewall, what happens when there is NO firewall?).

Attach the NSG and it will work as you expect it.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Ahh, I thought by default all the traffic would be denied. Makes sense. Thanks. – bitsandbytes Dec 06 '17 at 17:00
  • One interesting observation though, when I associate the NSG to Subnet and removed the Port 80 inbound, it still was allowing me to access the site. It only prevented when I associated the NSG to the n/w interface. So whats the point of having NSGs at the subnet level. My understanding was that rules at subnet level will trickle down to the VM level. – bitsandbytes Dec 06 '17 at 17:17
  • yes they will. I'm not sure what your problema was. It might not drop established connections. – 4c74356b41 Dec 06 '17 at 17:42
  • I doubt it as I restarted the VM, will run some more tests. Any ways , thanks for your help. – bitsandbytes Dec 06 '17 at 18:52
  • i'm 100% sure thats the case, NSG work fine. they are not broken. – 4c74356b41 Dec 06 '17 at 21:09
  • Please double check the vm/nic is in the same subnet as nsg. – theSushil Mar 17 '20 at 02:29
0

If you use a basic SKU public IP address, everything is open by default. So, you need to use NSG to restrict traffic. If you use a standard SKU public IP address, everything is closed by default. So, you should use NSG to open traffic.

By the description, you must be using a basic SKU public IP address.

Refer to this link: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku

Ravikiran S
  • 1
  • 3