0

I'm configuring Azure Cloud Service (extended support). Part of the requirements is to apply certain IP security rules, e.g. RDP only from a whitelist of addresses, and some others. With individual VMs, I have used network security groups in the past, however this doesn't seem to work for the cloud service (extended support).

Specifically, I associated a network security group with the subnet in a virtual network, from which role instances get their addresses, yet this NSG's rules don't seem to be adhered to. For example, my inbound rules look like this:

enter image description here

(shaded sources contain allowed 2 IP addresses). Yet I am able to connect to RDP from any other IP address over the internet.

So, the question is how do I apply IP security rules on the cloud service? Whether this is NSG or something else.

Aleks G
  • 936
  • 2
  • 8
  • 18

1 Answers1

0

Cloud services are a "classic" resources and use a classic vnet, and classic NSG's. You need to make sure that you create a "classic" nsg and apply it to the right vNet.

Edit: You are correct, this should support an ARM NSG. What you have listed in your diagram looks correct from the NSG perspective. I am wondering if the allow rule for the Azure load balancer is allowing this traffic in, given that RDP traffic to cloud services is proxied via a load balancer. Can you try configuring your NSG as documented here to see if that helps?

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • I'm afraid you're not correct. "Cloud Service" is a classic resource, but "Cloud Service (Extended Support)" is a new type ARM resource, which was introduced in 2021 as a logical replacement for Cloud Service (Classic). – Aleks G Jan 09 '23 at 15:06
  • Sorry, you are correct, I should pay more attention! Please see edit. – Sam Cogan Jan 12 '23 at 09:28