CourtKLAFilm on Mon, 21 Aug 2017 21:23:11

My goal is to create private subnets and allow only certain ports (RDP, SMB, and DNS) inbound from the on-premise networks and through the VPN.  I also don't want inbound access to this private subnet from the internet but allow outbound internet traffic.  My confusion comes with understanding what ports are allowed by default into the subnet from the on-prem network and vice versa.  It seems that all ports are open by default.

Also, is there a difference to associating the NSG to a NIC or Subnet?  Is there a supersede impact when associating NSGs to either resource?  I'd prefer to associate NSGs to subnets as I plan to group VMs on roles and the desired port access, ie Web, DB and DCs. 

Thank you,




Wayne.Yang on Tue, 22 Aug 2017 01:38:48

Hi, CourtKLAFilm

1. Difference between associating NSG to a NIC or Subnet:

NIC : Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
Subnet : Security rules are applied to any traffic to/from any resources connected to the VNet.

2.NSG can be associated to a NIC, Subnet, VM. When you associate NSGs to these resource, traffic can further be restricted .

3.Yes, you can associate NSGs to subnets to reach your destination. More details about Azure NSG and how to depoly it :Filter network traffic with network security groups

Best regards!

CourtKLAFilm on Tue, 22 Aug 2017 22:12:59

I found this article that discusses how NSGs are evaluated independently and how those associated to a subnet are first.

This article also discusses the defaults, which is * from and to VirtualNetwork tag.  I'm assuming that my VPN is considered a VirtualNetwork tag.

So, in order for me to protect my private subnet from the on-prem network, I have to create a higher priority rule to deny the matching default allow all for both incoming and outgoing.  Then create rules to allow desired ports and protocols (limited to tcp and udp) above the deny rule.  Associate this NSG to my private subnet.