3

I'm trying to restrict access to endpoints on my virtual machine only to specific external IP addresses. Having looked into it I found that a Network Security Group on Azure may be appropriate. I created a network security group and attached it to the subnet of my Virtual Network.

I then created these two rules which I thought should only allow access by one specified IP address:

The rules are below:

 - Source: IP Addresses
 - Source IP address range: *
 - Source port range: *
 - Destination: *
 - Destination port range: *
 - Protocol: Any
 - Action Deny
 - Priority: 1000
 - Name: Deny-All

 - Source: IP Addresses
 - Source IP Address Range: XX.XXX.XXX.XX
 - Source Port Range: *
 - Destination: Any
 - Destination Port Range: *
 - Protocol: Any
 - Action: Allow
 - Priority: 700
 - Name: Allow-Specific

However when I try to access the endpoint from the specified IP address I appear to be blocked. Does anyone know if I have forgotten a step or done something wrong. The NSG is blocking access but I can't seem to get the white list working.

I have checked the NSG logs but unfortunately I am unable to check what the source IP address is. Perhaps it is possible that the source IP address is getting changed somewhere along the pipeline and is changed before it hits the NSG rules.

Brian Delaney
  • 181
  • 1
  • 16
  • well, something is wrong with your allow, traffic doesn't match the rule and gets denied – 4c74356b41 Oct 20 '17 at 11:00
  • Try using Network Watcher in the Azure portal, this offers a number of ways of diagnosing network issues. Also, are you sure that you don't have a firewall running on the VM you are trying to reach? Could you reach the VM prior to adding the rule? – P2l Oct 20 '17 at 14:37
  • Hi @P2l, thanks for your comment. I'm confident that its not a firewall issue as when I change 'Source IP Address Range' on my Allow rule to 'Any' I can reach my endpoints. I also tried to check the NSG logs to check what the source IP address was on these requests but unfortunately the logs does not seem to contain this information. – Brian Delaney Oct 20 '17 at 15:48

1 Answers1

1

It seemed to be that the issue with this was in the deny all rule. I did not realize that there was a deny all rule built into NSG already. For some reason when I removed my custom Deny-All rule but left the Allow-Specific I was able to access the endpoint on the whitelisted IP.

I'm not sure why this was the case, if anyone has more feedback I'd be happy to hear it.

Brian Delaney
  • 181
  • 1
  • 16
  • Based on my knowledge, it is not a `Deny-All rule` issue. Because the rule has a low priority. It will not affect rule which has priority 700. When you test it do you ensure your service is listening? For test, you could add the rule again, I think you also could access your service from XX.XXX.XXX.XX. – Shui shengbao Oct 25 '17 at 01:35