Hello,
I'm having problems getting NSGs to work on my VMs located in my VNet. I have a VNet that has P2S and S2S connections running. I'd like to implement NSG at the subnet level to deny Internet to the VNet and then use NSGs at the VM level to control fine-grained access for inter-subnet traffic. The subnet-level NSG works fine. However, when I associate a NSG to a VM with one rule - DENY ALL, I am still able to access the VM (ssh, https, etc.) Has anyone else experienced this problem? I'm in US East 2.
Here is my subnet-level NSG
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
P2S VPN 200 Allow 192.168.5.0/24 * * * *
S2S VPN 210 Allow 172.16.0.0/25 * * * *
DENY_INTERNET 3500 Deny INTERNET * * * *
DENY ALL 4096 Deny * * * * *
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * * *
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * * *And my VM level NSG
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
DENY ALL 4096 Deny * * * * *
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * * *
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * * *