0

I have setup a LB with a backend pool (only one host for test). I setup network security group on test host with following rule:

Source: AzureLoadBalancer Destination: Any Action: Allow
Source: VirtualNetwork Destination: VirtualNetwork Action: Allow
Source: Any Destination: Any Action: Deny

I can't connect to host through LB (from host in the same VNET). It's a public LB and I try to connect through ip public.

If I setup a rule Source: Any Destination: Any Action: Allow

All work fine.

Of course, I don't want this rule.

What's wrong with my setup ?

Thanks.

Kiva
  • 9,193
  • 17
  • 62
  • 94
  • How can you connect the host, via rdp or ssh? host public ip or LB public ip? – Nancy Jun 13 '18 at 10:08
  • I edit my post: It's a public LB and I try to connect through ip public. I don't know how to connect it differently – Kiva Jun 13 '18 at 12:18

1 Answers1

2

You need to add an inbound port rule to allow connections from remote location to virtual machines. Find the network security group associated with the host Vnet. Add the inbound port (rdp 3389, ssh 22 or other port your self-defining ) which you allow to connect the host. Additionally, you will give every rule a priority. Low number of priority means high priority.

For more information about create a public Basic load balancer by using the Azure portal.

enter image description here

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • I don't want allow any source to my backend. As I said in my post, I already have a rule to allow LB and VNET to my host. – Kiva Jun 13 '18 at 14:38
  • When you connect to a LB public ip from host in the same vnet, the host will use itself public ip to connect the LB public ip. So the source ip address actually does not associate with the LB and vnet. You still need to add another inbound rule as my suggestion above. – Nancy Jun 13 '18 at 16:51
  • 1
    I try to white list vm public ip and it works. Thanks a lot but I don't understand why vm doesn't use its private ip. the two vms and the LB are in the same VNET. – Kiva Jun 14 '18 at 08:12
  • If you want to connect to the vm1 through public LB from vm2 as the same vnet as vm1, Vm2 will direct traffic to public LB front end with itself public ip. then public LB distribute to vm1. If you want to connect to vm1 directly from vm2 without LB, then vm2 will use its private ip. – Nancy Jun 14 '18 at 08:44