Does NSG apply to load balancer frontend IP?

Qiu, Horus 20 Reputation points
2024-06-17T06:59:41.11+00:00

I have a vnet with two subnets named sn1 and sn2. I have two vms named vm1 and vm2. vm1 is in sn1, vm2 is in sn2. I have a load balancer whose backends are vm1 and vm2. There is only one frontend IP in the load balancer in sn1.

When I associate a network security group with sn1 that has rules to block all network traffic, vm1 will be unavailable, which is expected. However, the frontend IP of the load balancer still works, despite it is in sn1.

I would like to know the reason of above behavior. Is the reason that network security group does not apply to load balancer frontend IP?

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
416 questions
0 comments
Accepted answer
  1. akinbade abiola 6,420 Reputation points
    2024-06-17T07:41:11.7733333+00:00

    Hello Qiu, Horus,Thanks for your question.

    This is expected. NSGs in Azure do not apply to the load balancer frontend IP address.NSG can be associated with either subnets or individual VM instances within that subnet, so we can’t use NSG to block inbound IP address from the internet.See:

    Diagram of NSG processing.

    How network security groups filter network traffic

    Please let me know if you have further questions.

    You can mark it 'Accept Answer' if this helped you

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest