09-14-2018 08:09 AM
Just wanted to share my experience with recent project and make you aware of the change in Azure default behaviour, which can save you some troubleshooting.
As you may now, earlier this year Azure introduced Standard SKU for Load Balancers and Public IP addresses. The standard SKU has better functionality and the recommendations is to use it in all new deployments.
I had a project to deploy firewalls in Azure with standard SKU external load balancers. Everything seemed fine for internal traffic and outbound traffic, however inbound Internet traffic was not working and I could not see any packets arriving on the external interfaces. In this project a third party company was responsible for the Azure configuration and they kept on claiming that the problem was with the firewall configuration and that nothing is blocking traffic in Azure because there were “no NSGs” applied.
After wasting almost a day in troubleshooting and after re-creating the issue in my own environment, I discovered that the NSG behaviour has changed in Standard SKU and even the Azure experts were not aware of that.
Previously not having an NSG meant “all traffic allowed”. Now in Standard SKU all inbound to the Standard SKU resources (Public IPs and Public Load Balancers) is blocked by default, unless explicitly allowed by a NSG. It is a small detail and is in fact mentioned in the Azure documentation, but it is easy to miss and being aware of it can save you valuable time troubleshooting.
“Communication with a standard SKU resource fails until you create and associate a network security group and explicitly allow the desired inbound traffic.”
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm
