Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
420 questions
Public Load Balancer, Network Security Group, filter by source IP does not work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 0%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Thomas, Matthew
0
Reputation points
tldr;
How do I restrict access to a public load balancer to specific client ip addresses?
Is it possible to see the source ip of traffic to the load balancer in the event that I see malicious traffic?
I have a public load balancer with a Virtual Machine Scale set behind it handling syslog traffic. I am trying to use the network security group to only allow specific ip's to send traffic to the load balancer. However, the only NSG rules that appear to work have a source of "any" or a source of "internet". Any rules with specific ips or ip subnets do not work. If I turn on flow logs, the source IP is always the load balancer. So I cannot even verify where the traffic is coming from.
I have diagnostics turned on for both the load balancer and the NSG but i cannot find the real source IP in any of the diagnostics or logs I can turn on.
If I give a VM a public IP, the NSG rules work as I would expect them to. Its only through the load balancer that I have an issue.
How do I restrict access to specific servers and how do I see the source ip of traffic to the load balancer?
Thanks in advance for any help or suggestions.
{count} votes
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee2023-10-03T04:33:47.3166667+00:00 Hi Thomas, Matthew,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are not able to block certain client IP Addresses from accessing Load Balancer backend via NSG.
This is strange.
AFAIK, Load Balancer does Direct Server Return - i.e., the source IP is never changed.
And as such, you should be able to block the traffic using NSG.
- I take it that you have associated the NSGs to the subnet of the VMSS
- Also, there is no NAT Gateway associated to this subnet.
- And all the traffic is inbound.
Now,
- In the flow logs, you must see the Source IP of the traffic as the client's
- Can you please share a screenshot of (inbound traffic) logging the public IP of the LB?
- It is quite possible you are having a higher priority rule Allowing the traffic in.
- Can you please verify the same using Check security rules applied to a virtual machine traffic
Cheers,
Kapil
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
2023-10-04T13:12:55.1033333+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
2023-10-05T10:26:25.8233333+00:00 Reaching out to check if there are any questions on this.
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
Sign in to comment