4

I've got a networking question for one of my customers servers in the cloud.

We are using just a standard 2012R2 VM with a few endpoints set up through the NSG Firewall, and we have a LoadBalancer infront of the network with a few ports forwarded to the same VPC.

The reason we are using a load balancer with port forwarding is because I'm finding countless records of bots trying to hit 3389 and 21 with attempts to break in.

So I have tried to change the source setting in the NSG rule to AzureLoadBalancer with the hope that it will only allow access to traffic that has come via the LoadBalancer on the external ports.

But for some reason this is not the case? Is there a proper procedure for restricting traffic to a VM via the NSG from a LoadBalancer?

Any help with this is greatly appreciated.

Thanks

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
WellConnectedIT
  • 93
  • 1
  • 1
  • 7

2 Answers2

3

The NSG can’t be associated with Load balancer, NSGs can be associated with either subnets or individual VM instances within that subnet, so we can’t use NSG to block inbound IP address from the internet.
To protect the VM (with a public IP), we can deploy Linux VM, use IP tables work as a firewall. Also you can search some third party firewall product in Azure Marketplace.

Update:
To protect your VM, you can use NSG to allow the source IP address range to access your VM. NSG->Add inbound security rule->advanced->source IP address range. enter image description here

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • It's not about associating a load balancer with an NSG; For further clarification. How do you restrict the source IP to the IP address of the LoadBalancer? – WellConnectedIT Jan 10 '17 at 23:18
  • @WellConnectedIT azure can't restrict the source IP of the internet load balancer. The reason you add the internet LB is to protect your VM, to protect your VM, you can use NSG to allow the source IP address range to access your VM. NSG->Add inbound security rule->advanced->source IP address range – Jason Ye Jan 11 '17 at 05:39
  • 1
    I think you're missing it with this one. Currently I have: Internet – WellConnectedIT Jan 19 '17 at 22:50
  • @WellConnectedIT I think I understood your explanation. If I understand it correctly: you want the VM without the direct IP, just can network traffic over the load balancer IP with different ports. We can disassociate the VM's public IP, so we can via the load balancer IP to access the VM. – Jason Ye Jan 20 '17 at 00:42
  • @WellConnectedIT In ARM module, we can via the new portal to disassociate the VM's public IP address. login the new portal>select the VM's public IP> disassociate. – Jason Ye Jan 20 '17 at 00:49
  • I have the exact same question, would like to have an answer if possible. Disassociate the IP does not always works because sometimes I do want to have a public IP for the VM but I don't want the public IP to have access to ssh – William Yeung Mar 14 '17 at 09:55
  • @WilliamYeung Does you VM behind a load balancer? – Jason Ye Mar 15 '17 at 01:27
  • NAT rule yes, but not in terms of Load Balancer rules – William Yeung Mar 27 '17 at 02:27
0

Looking a the LB troubleshooting doc:

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot

You have:

-Also, check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).

If you create your NSG rule and only allow from 168.63.129.16 you should be set. The Azure load balancer will always come from that address no matter what your frontend IP is.

Mike
  • 1