How to block ports from public and allow ports within Vnet in Azure?

2.5k Views Asked by At

I've setup a site-to-point VPN in Azure. I want to allow ports 3389, 22, 5432, 8080 for users that logs in using the VPN client and at the same allow only port 8080 at the public IP for this VM. These configs can be done at the NSG How can I achieve this?

In the VM/Networking tab, I can see NSG attached to a subnet and another NSG attached to the NIC.

2

There are 2 best solutions below

1
On BEST ANSWER

All you need is a rule allowing 8080 from the internet, the NSG default rule already allows communication on the virtualnetwork tag which includes VPN gateway routes

enter image description here

3
On

Firstly, wherever possible try not to assign NSGs to NICs - Not that it makes for bad practice it just makes for greater management difficulty. Though in some very tight security scenarios this may be necessary.

Your point-to-site VPN will be served by a VPN Gateway, and clients will be issued an IP address from the client address pool.

In your scenario, you will need to create an inbound rule to allow connections from the VPN clients to the target VM's internal IP address in any and all NSGs which are applied to:

  • The Gateway subnet
  • The subnet of the VM's NIC
  • The VM's NIC

If you don't have an NSG applied to the Gateway subnet, you can leave it as it is.

You will need to get the client address pool from the VPN gateway and use the CIDR-notated network address to populate the source CIDR range. Example below:


NSG Rule


Ensure that you have assigned an appropriate priority to the rule, such that it is processed before any deny action rules which may take precedence.

You may wish to exclude 8080 from this rule, and instead create a separate one which allows any source address access to it. This rule would need to exist on the subnet and NIC NSGs.