This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

BatD
L4 Transporter

‎09-14-2018 08:09 AM

Just wanted to share my experience with recent project and make you aware of the change in Azure default behaviour, which can save you some troubleshooting.

 

As you may now, earlier this year Azure introduced Standard SKU for Load Balancers and Public IP addresses. The standard SKU has better functionality and the recommendations is to use it in all new deployments.

 

I had a project to deploy firewalls in Azure with standard SKU external load balancers. Everything seemed fine for internal traffic and outbound traffic, however inbound Internet traffic was not working and I could not see any packets arriving on the external interfaces. In this project a third party company was responsible for the Azure configuration and they kept on claiming that the problem was with the firewall configuration and that nothing is blocking traffic in Azure because there were “no NSGs” applied.

 

After wasting almost a day in troubleshooting and after re-creating the issue in my own environment, I discovered that the NSG behaviour has changed in Standard SKU and even the Azure experts were not aware of that.

 

Previously not having an NSG meant “all traffic allowed”. Now in Standard SKU all inbound to the Standard SKU resources (Public IPs and Public Load Balancers) is blocked by default, unless explicitly allowed by a NSG. It is a small detail and is in fact mentioned in the Azure documentation, but it is easy to miss and being aware of it can save you valuable time troubleshooting.

 

“Communication with a standard SKU resource fails until you create and associate a network security group and explicitly allow the desired inbound traffic.”

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm

 

 

(1)
2 REPLIES 2

BradHancock
L0 Member

‎10-24-2023 09:00 PM

Just saved us a ton of ton. Thanks for posting.

0 Likes Likes

JayGolf
Community Team Member
In response to BradHancock

‎10-24-2023 11:24 PM

Thanks for sharing!

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 4148 Views
  • 2 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks