Azure NSG : Same subnet, Same adresses in source and destination

Badr HOUSSNI 46 Reputation points
2020-08-04T14:20:36.717+00:00

Hi everyone,

Iam on a case that two IPs on the same subnet ( With a NSG ) has to talk to each other with the same ports.
I was wondering if its ok to put the same Ip on source and destination as shown bellow :
15500-image.png

Or should i do it more oldschool like this :
15459-image.png

thank you very much :)
Regards,
Brad

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,263 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee
    2020-08-05T11:08:33.657+00:00

    Hello @Badr HOUSSNI ,

    If you have two IPs on the same subnet, then the below default NSG rule will come into picture:
    AllowVNetInBound
    Priority Source Source ports Destination Destination ports Protocol Access
    65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow

    AllowVnetOutBound
    Priority Source Source ports Destination Destination ports Protocol Access
    65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow

    This means all the VMs within the same subnet connected to a default NSG will be able to talk to each other on all the ports (if open).

    However, it's also important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example, if a rule is added to the subnet associated NSG which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. Another rule would have to be added specifically to allow this.

    In your case if you have denied all inbound and outbound traffic on the NSG with high priority rules, then you have to add specific rules to allow communication between the VMs which you would like to connect. So you can use either one of the approaches you have specified above.
    The ability to specify multiple individual IP addresses and ranges in a rule is referred to as augmented security rules.

    Please refer : https://video2.skills-academy.com/en-us/azure/virtual-network/security-overview

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 102.1K Reputation points MVP
    2020-08-04T14:55:29.487+00:00

    Based on the official document of Microsoft the following is allowed for source and destination IP:

    Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group.

    Source: Security Rules

    My understanding is your "oldschool example" is the way to go -> individual IP address

    Maybe this is helpful.

    Regards

    Andreas Baumgarten

    (Please don't forget to Accept as answer if the reply is helpful)

  2. Matteo 101 Reputation points
    2020-08-04T15:19:24.817+00:00

    Just one question, if you are talking about an NSG linked to a subnet and both machine are part of the same subnet, by default the 2 machines are able to talk to each other if you did not apply any deny rule at NIC level with another NSG or at the client level with a firewall.

    Just to extend the context a little bit more, all the vms within all the subnets within the same VNET can reach each others by default, the deny is for traffic outside the vnet and not reaching the load balancer.

    If you apply NSG at the nic level of each machine you can handle it from there, it doubles the effort but it circumvents the bugs concerns, from the syntax perspective NSG accepts it.