Outbound to the internet: Allow outbound traffic to the internet for all destinations. This rule is created by default for NSGs. You must not override it with a manual Deny rule to ensure smooth operations of your application gateway. Outbound NSG rules that deny any outbound connectivity must not be created.
If Azure NSG's are stateful, why does the Application Load Balancer docs recommend leaving outbound access unfettered?
I was expecting no statement in the documentation regarding outbound access.
The reason why the Application Load Balancer documentation recommends leaving outbound access unfettered is to ensure smooth operations of the application gateway. Outbound rules that deny any outbound connectivity must not be created to prevent any disruptions in the application gateway's operations. Although Azure NSGs are stateful, outbound access needs to be allowed to ensure that the application gateway can communicate with the internet. Azure Application Gateway, which includes Application Load Balancers (ALBs), requires unrestricted outbound access to the internet for several operational tasks that are not in response to incoming traffic. These include health checks that may target external endpoints, telemetry and diagnostics reporting, fetching updates and security patches, and essential communications with other Azure services for seamless operation and integration. Blocking or restricting outbound traffic can interfere with these functions and impact the reliability and security of the Application Gateway.
For instance, an Application Gateway might need to reach out to a CDN for fetching content or to Azure Active Directory for authentication processes, both of which are initiated by the Gateway itself and not as a response to incoming traffic.
Therefore, it's recommended to maintain the default rule allowing outbound traffic to ensure these processes are not interrupted.
References:- Application Gateway infrastructure configuration - Network security groups