0

I have a Hub VNET and a VNET Gateway linked to an ExpressRoute.

I added a route table on my Gateway subnet to route all traffic to my Azure Firewall.

When I inspect the FW logs, I see some intra-subnet traffic in the Gateway Subnet. Somethings in this subnet are trying to call each other on port 10001, 20000 and 54321. It's denied because I don't have any specific rule for that, but what is this traffic and do I have to allow it in my FW?

2d1b
  • 595
  • 1
  • 6
  • 24

1 Answers1

0

• I tried to replicate your environment to understand this scenario of intra subnet traffic between the ports 10001, 20000 and 54321. Based on this, the port ‘54321’ is used by SQL Analysis Services instance listening as the resources in the spoke virtual network might have been deployed with SQL Analysis Services and configured this port for the same.

• Similarly, with regards to ports 10001 and 20000, they are used for ‘Network Data Management Protocol’ (NDMP) used primarily for backup of network-attached storage (NAS) devices, such as your storage systems or storage resources configured in the spoke virtual networks while port 20000 is used by ‘Distributed Network Protocol’ which is used SCADA systems operating as well as web-based Unix/Linux user administration tool. Thus, accordingly, you will have to check the used case scenarios of these ports in the spoke virtual networks based on the purpose of the applications deployed in them.

• Thus, would suggest you to please check the resources accordingly in the spoke network by temporarily allowing the traffic over these ports and checking the source of these ports for any purposeful applications deployed on the resources in the spoke virtual network.

Therefore, for checking the above ports from the spoke and hub virtual networks, please try to execute the below commands to and from the resources in hub as well as the spoke virtual network: -

  telnet <IP address of the resource> <port no.>

  Test-NetConnection -ComputerName <IP address of the resource> -Port <port>

Also, ensure that you have enabled the hub virtual network as a gateway as shown below as well as configured the firewall policy rules for allowing traffic over these ports within the hub and spoke network as below: -

Azure firewall policy

Network groups

For more detailed information regarding this, kindly refer to the below link: -

https://learn.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9