Hello,
I would like to deploy an ARM template with 1 VNET and 3 subnets inside.
I would like to restrict network traffic between these subnets through NetworkSecurityGroup. In particular, from Mgmt subnet only TCP traffic on port 80 and 22 should be allowed. From Backend subnet, no traffic should be allowed.
These 3 subnets have the following address spaces:
- Mgmt: 10.0.1.0/24
- Backend: 10.0.0.0/24
- Apps: 10.0.10.0/24
I've created a NSG with 3 rules
- Allow HTTP (80) from 10.0.1.0/24
- Allow SSH (22) from 10.0.1.0/24
- Deny all other traffic from Virtual Network
Because of "Default Rules" built-in in a NSG, it has been created a deny rule which should block all traffic which is not explicitly allowed.
The issue is that from Backend subnet it's still possibile reach Apps subnet.
Any ideas ?
Here there is the NSG applied to Apps subnet.
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "AppsSubnetNSG",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "inboundhttp",
"properties": {
"description": "inbound rule 01",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 200,
"direction": "inbound"
}
},
{
"name": "inboundssh",
"properties": {
"description": "inbound ssh 01",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 204,
"direction": "inbound"
}
},
{
"name": "notcp",
"properties": {
"description": "block TCP",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 304,
"direction": "Inbound"
}
}
]
}
}
Gmail