Configuring ipv6 NSG rules on expressroute internal ip addresses

Peter Boers 0

When attempting to setup IPv6 NSG rules they either seem to block all traffic or none. Our setup is as follows:

Expressroute peering towards a dualstack VNet
A default route is announced over the expressroute towards the VNet
The VNet hosts an AKS service
The NSG inbound filter has a deny all rule which is a catch all
The NSG outbound filter allows all traffic

When attempting to block Ipv6 access to certain TCP or UDP ports this results in a request timeout. An example of what I'm attempting is defining an allow rule for traffic to TCP 80 and 443 to enable access to a webserver available in IPv6 and IPv4. This works fine for IPv4 but not for IPv6. When I attempt to create an IPv6 only rule, it also does not work. When I allow all traffic on IPv6 subnets it does allow traffic (but also traffic to unwanted ports). When I narrow down the source IP prefixes, I am able to filter traffic more accurately, however I also need to be able to filter on TCP and UDP ports. Is anyone experiencing similar problems?

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2024-02-28T18:35:38.3733333+00:00

@Peter Boers
Thank you for reaching out. I understand you are facing issue while configuring NSG rule for the ipv6 addresses. For us to better troubleshoot the issue can you please provide a screenshot of the IPv6 NSG rule which is working and the rule which is not working? Thank you!
Peter Boers 0 Reputation points

2024-02-29T12:02:58.22+00:00
Thanks, I hope this information is what you need. The following rule does not work for IPv6, but does for IPv4. This is the first rule in our NSG. the result of a curl:

pboers@peterboers:~$ curl -6 --connect-timeout 1 http://api.dev.xxxxxxxxxx curl: (28) Failed to connect to api.dev.xxxxxxxxx port 80 after 502 ms: Connection timed out pboers@peterboers:~$ curl -4 --connect-timeout 1 http://api.dev.xxxxxxxxxx <html> <head><title>308 Permanent Redirect</title></head> <body> <center><h1>308 Permanent Redirect</h1></center> <hr><center>nginx</center> </body> </html>

Adding a specific IPv6 only rule also does not work:

It only starts working when I remove the destination Ports. However this basically sets it wideopen for all applications, which is what we do not want to do.

To be clear we have a Deny Any, Any policy at the end of our NSG
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2024-03-02T00:40:10.5433333+00:00

@Peter Boers

Thank you for sharing the requested information above.

I was working on a lab for this.

Can you please try setting the rule in format below? I tried on my end was successful.

The modification here is instead of using the ::/0 as the source IP address. You have to define the private IPv6 IP address range of the Vnet/Subnet. You can find this address on Azure portal Virtual Network address space.

The NSG rule which worked for me:

Can you please try this at your end and see if that it works? Thank you!
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2024-03-04T15:03:27.4133333+00:00

@Peter Boers

Just following up here, to see if you got a chance to look at my comment above. Thank you!
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2024-03-06T02:29:42.9633333+00:00

@Peter Boers

Just following up here, to see if you got a chance to look at my comment above. Thank you!
Peter Boers 0 Reputation points

2024-03-06T08:05:59.6833333+00:00

Hi @ChaitanyaNaykodi-MSFT setting this up as mentioned above this does not restrict access to ports. For whatever reason I also don't see why ::/0 would not work. This is a valid IPv6 prefix and should be able to be used in setting up NSG rules. Otherwise I would have to keep updating my firewall policy everytime a new IPv6 prefix gets announced to the internet. My conclusion is still is that IPv6 NSG's don't work, unfortunately. Is there a way to address this as a ticket with you?
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2024-03-07T20:26:32.21+00:00

@Peter Boers Thank you for getting back. I have replied to you via email.

1 answer

dashanan13 930 Reputation points

2024-02-29T14:32:46.9733333+00:00

Hei @Peter Boers ,Thank you for contacting Microsoft Q&A. I am afraid that the problem you asre facing may be due to limited support for IPv6 on Azure. According to the IPV6 Azure Vnet documentation, it says "While it's possible to create NSG rules for IPv4 and IPv6 within the same NSG, it isn't currently possible to combine an IPv4 subnet with an IPv6 subnet in the same rule when specifying IP prefixes." This may be contributing to the behavior. Please mark this as answer if it helped.
Please sign in to rate this answer.
Peter Boers 0 Reputation points

2024-02-29T14:39:52.4333333+00:00

Thanks I had already read that part of your docs, however when I create a single rule within the NSG for IPv6 it also doesn't work. Are you suggesting I create a second NSG dedicated to IPv6 traffic handling? Or is this just unsupported behaviour? According to your documentation a rule that is applied to only IPv6 traffic handling should be able to filter Application Ports

dashanan13 930 Reputation points

2024-02-29T15:04:11.18+00:00

I would suggest that, keep rules related to IPv6 in a separate NSG. This seems to be a limitation but it feels like its better governance to keep things separate.

Peter Boers 0 Reputation points

2024-02-29T15:18:53.13+00:00

I followed up and did what you suggested, I created another NSG only handling IPv6 traffic and attached it to the correct subnet. Furthermore I removed all IPv6 rules in the other NSG. Below you can see the rules, however this just results in the same behaviour as before. I guess it just doesn't work, which is worrying, as IPv6 has only been standardised for the past 25 years ;) I really hope I'm missing something obvious.....

dashanan13 930 Reputation points

2024-02-29T15:38:47.38+00:00

Hei, At this point i will need to set things up and check for my self. IPv& is still not that popular so havent had any cases around it. Ill post if it get something.
Sign in to comment

Share via

Configuring ipv6 NSG rules on expressroute internal ip addresses

1 answer