Azure NSG not working as expected

Question

I have an Azure external loadbalancer with a backend pool that contains 1 kubernetes master server and has a load balancing rule on port 443.

I added a rule with priority 500 to deny all traffic coming from the internet on port 443 to the kubernetes master server. Works fine

I added a rule with priority 400 to accept traffic coming from a certain public ip because I only want to be able to connect from that ip. I expected that I should be able to connect but I can't.

If I change the rule that accepts traffic from the source ip to internet then it works fine. What am I missing?

Kind Regards

Answer 1

"I added a rule with priority 400 to accept traffic coming from a certain public ip because I only want to be able to connect from that ip. I expected that I should be able to connect but I can't.

If I change the rule that accepts traffic from the source ip to internet then it works fine. What am I missing?"

Things that you might have missed:

1. Make sure you are not specifying the source port !! It would be taken from a pool of available ports referred to as ephemeral ports from the client that you initiate the connection.
2. You are blocking the Allow Azure Load Balancer IP which is a default rule. Load Balancer health probes originate from the IP address 168.63.129.16 and must not be blocked for probes to mark your instance up. Review probe source IP address for details.

Create a separate rule to allow this IP as this is a MSFT IP you should have no issues allowing this.** Before deny all (Priority <500)

That should fix your issue for sure !!

Diagnosis & RCA:
Why this is happening, the Azure Load balancer Probe IP is being blocked and hence the backend server is being marked as unhealthy by the load balancer.