No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

Reply
L4 Transporter

No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

Just wanted to share my experience with recent project and make you aware of the change in Azure default behaviour, which can save you some troubleshooting.

 

As you may now, earlier this year Azure introduced Standard SKU for Load Balancers and Public IP addresses. The standard SKU has better functionality and the recommendations is to use it in all new deployments.

 

I had a project to deploy firewalls in Azure with standard SKU external load balancers. Everything seemed fine for internal traffic and outbound traffic, however inbound Internet traffic was not working and I could not see any packets arriving on the external interfaces. In this project a third party company was responsible for the Azure configuration and they kept on claiming that the problem was with the firewall configuration and that nothing is blocking traffic in Azure because there were “no NSGs” applied.

 

After wasting almost a day in troubleshooting and after re-creating the issue in my own environment, I discovered that the NSG behaviour has changed in Standard SKU and even the Azure experts were not aware of that.

 

Previously not having an NSG meant “all traffic allowed”. Now in Standard SKU all inbound to the Standard SKU resources (Public IPs and Public Load Balancers) is blocked by default, unless explicitly allowed by a NSG. It is a small detail and is in fact mentioned in the Azure documentation, but it is easy to miss and being aware of it can save you valuable time troubleshooting.

 

“Communication with a standard SKU resource fails until you create and associate a network security group and explicitly allow the desired inbound traffic.”

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!