Azure Network Security Groups not working? (attached to subnet)
I am trying to secure some subnets in a virtual network.
I have Virtual Network 1 with Subnets A, B, C.
I have a VM in each subnet with default endpoints (RDP and WinRM).
I used the following commands to create and attach the Network Security Group to subnet C:
$SGName = 'SecurityGroupC'
$location = 'West US'
$virtualNetwork = '1'
$subnet = 'C'
New-AzureNetworkSecurityGroup -Name $SGName -Location $Location -Label $SGName
Get-AzureNetworkSecurityGroup -Name $SGName | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $VirtualNetwork -SubnetName $Subnet
I can see the default rules by running:
Get-AzureNetworkSecurityGroup -Name $SGName -Detailed
Which shows the expected default rules:
Name : SecurityGroupC
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * * *
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * * *
Type: Outbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
ALLOW VNET OUTBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW INTERNET 65001 Allow * * INTERNET * *
OUTBOUND
DENY ALL OUTBOUND 65500 Deny * * * * *
Based on these rules my RDP endpoint on my VM in subnet C should stop working. However I am still able to RDP directly to my VM from the internet. Is there something I am missing?
Answer
When you create a VM it will create a RDP endpoint automatically. It appears that this setting overrides your Network Security Group values.
I usually add an ACL to it "0.0.0.0/0" "DENY" so I can re-enable it if I need to.