Azure NSG rules for Azure Bastion

Aaron Krytus 1

I am looking for the outbound ports from the VM subnet required for Azure Bastion service to function.

I have found this MS Article, but this only applies to the NSG applied to the Bastion subnet.

I have a rule [4096]: DenyAllOutbound traffic the prevents all internet and internal vnet traffic. This supersedes the default built in rules and prevents the Bastion service from working properly. I have added a rule to allow all traffic to the Bastion Subnet, but it also requires some type of traffic to the internet. I tested 3389, 443, and 80 with no luck.

What ports are required to go out to the internet to make Bastion work properly?

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2022-09-09T04:19:46.433+00:00

Hello @Aaron Krytus , Welcome to the Microsoft Q&A forum.

From the article you shared above the last section talks about the Target VM's subnet. Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389/22 respectively, or custom port values if you are using the custom port feature as a part of Standard SKU) need to be opened on the target VM side over private IP. As a best practice, you can add the Azure Bastion Subnet IP address range in this rule to allow only Bastion to be able to open these ports on the target VMs in your target VM subnet.

I do see that you have added the Azure Bastion subnet to the VM's NSG from your screenshot above. Can you please confirm if you remove the 4096 rule you are able to establish connectivity with Bastion? if not can you run a IP flow verify test for your VM to see if any other NSG is blocking this connectivity. Thank you!
Aaron Krytus 1 Reputation point

2022-09-09T12:38:07.04+00:00

@ChaitanyaNaykodi-MSFT

Thank you for your response.

Yes if I remove 4096 or add a duplicate rule of 65001 allowing internet on the VM subnet, then Bastion works.

What port(s) need to be opened to the internet on the VM subnet to allow Bastion to work?

-Aaron

1 answer

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2022-09-09T04:21:53.48+00:00
Hi @Aaron Krytus ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand more about NSG requirements for Azure Bastion Subnet.

I take it that the NSG you have shared is applied to the Bastion VNet

I see you have allowed Inbound traffic for Bastion subnet already

You can follow this document which clearly describes the NSG requirements (Which you have described)

https://video2.skills-academy.com/en-us/azure/bastion/bastion-nsg?source=recommendations

You should allow outbound traffic from Bastion Vnet to the target VM/VM's subnet (I see you had already done this)

Along with this, you must allow traffic on the destination VMs from the Bastion subnet

Inbound Rules

Outbound Rules

Please feel free to let us know should you require more details.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Aaron Krytus 1 Reputation point

2022-09-09T12:34:31.113+00:00

anonymous user-MSFT

Thank you for your response.

I have not applied the NSG rules you provided to the Bastion subnet to troubleshoot this issue.

The issue is when I block internet traffic from the VM subnet. What ports need to be opened to the internet?

-Aaron

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2022-09-12T07:42:23.663+00:00

Hi @Aaron Krytus ,

Technically, you do not have to allow access to or from Internet in TargetVM for Azure Bastion to work.

In the VM level, these are the required NSG configuration.

Can you please make sure if there is an NSG associated with the BastionSubnet?

If not, I would recommend you attach one and allow outbound Internet access as described above (or for testing, you can allow all)

And for inbound, allow your public IP and give it a try.

I am suspecting this could be because standard IPs are secure by default and require NSGs to be configured to open Ports. In case there is no NSG in AzureBastionSubnet at all, then the Public IP of bastion maybe closed for incoming connections

Cheers,
Kapil.

Aaron Krytus 1 Reputation point

2022-09-12T16:19:46.873+00:00

anonymous user-MSFT

Thank you for your reply. I believe that you may be confused what my issue is. You are referencing ingress traffic and the Microsoft provided document. Unfortunately that is not my issue.

Bastion works fine until I block egress (outbound) traffic to the service tag (Internet). This can bee seen in my screenshot on rule #4096.

The question I need answered is, "what ports to the internet (egress traffic) are required on the VM subnet to allow Bastion to work properly"?

Just to be clear, I am NOT asking what ports are required from the Bastion subnet. This is already documented and understood.

Thank you again for your help,

Aaron

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2022-09-12T16:44:01.887+00:00

Hi @Aaron Krytus ,

Thanks for the update.

I do understand that this setup works when you allow Internet from the target VM.

However, that should not be the case.
There is no requirement to allow Internet traffic in target VM for Bastion to work.

This issue seems to be an isolated one and it would require a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support

Cheers,
Kapil

Kumar, Rupesh 0 Reputation points

2023-03-15T21:47:08.4666667+00:00

Hi Kapil, Are you able to share the terraform nsg for bastion, if available please?

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-03-21T12:06:25.9966667+00:00

Kumar, Rupesh (Contractor)

You can find the requirements for a Bastion Subnet NSG here

For terraform format, you can refer to

Terraform NSG

Terraform NSG Rules

Cheers,

Kapil

Chris 0 Reputation points

2024-01-05T16:20:13.2166667+00:00

@Aaron Krytus I'm not sure if you ever got this working, regardless hopefully it'll help someone else searching for an answer having read this frustrating exchange between you explaining the issue clearly and you receiving some vague responses.

Between that and the fact that the documentation for the Bastion NSG's shows a ruleset which has explicit allows for services, and then the blanket default allow all within virtualnetwork is still set. When you (and myself) have set explicit denyalls with a higher priority to properly tie the NSG down = unable to authenticate.

Well, in my scenario I was trying to authenticate with credentials of an ADDS domain I had setup in Azure in the same subscription, and with the denyall rule, was blocking Kerberos port 88. Allowing TCP 88 Outbound on the Bastion NSG to the DC's, and ensuring I had an inbound rule on the NSG applied to my DC's to allow the same TCP 88 traffic to get in solved my issue.

NSG Flow Logs were the key to seeing exactly what was being blocked.

Obvious on reflection, but confusing when combined with the open NSG ruleset in the documentation.
Sign in to comment

Share via

Azure NSG rules for Azure Bastion

1 answer