Azure Traffic Manager
An Azure service that is used to route incoming network traffic for high performance and availability.
132 questions
Unexpected Network Traffic Reaching VM Despite NSG Configuration in Azure
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 63%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
najla.mazouz@vneuron.com
5
Reputation points
We are experiencing an issue where network traffic is reaching our Virtual Machine, even though our Network Security Group (NSG) is configured to block this traffic. For example, traffic on port 80 is being logged by UFW on the VM, despite the NSG rules explicitly denying this port.
Configuration Details:
- NSG rules are set to deny all incoming traffic on port 80.
- UFW on the VM confirms that traffic on port 80 is being blocked, but it still shows incoming packets. Issue:
- We observe incoming traffic on port 80 in the VM logs.
- This occurs even when the NSG configurations should be blocking it.
- This raises questions about the efficiency of the NSG
--Why is traffic reaching the VM despite the NSG rules?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 3,845 Reputation points Microsoft Vendor2025-02-13T08:53:16.74+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Please go through the below troubleshooting steps:
- First make sure that the NSG is correctly associated with the VM's network interface or subnet. You can verify this in the Azure portal by navigating to the VM's networking settings or the subnet's associated NSGs and diagnose the network security rules by using NSG Diagnostic in Network watcher.
- Next, verify if there are any other NSGs applied to the VM or subnet that might be allowing the traffic. Check the priority of the NSG rules to make sure that the deny rule for port 80 has a higher priority than any allow rules.
- If an allow rule has a higher priority, it will override the deny rule, allowing traffic on port 80. When creating NSG rules, it's crucial to space the priority numbers to allow for future rule additions without requiring renumbering of existing rules.
- Examine the NSG for any application rules or service tags that might be allowing the traffic. Application rules allow traffic based on predefined application types, while service tags represent groups of IP address prefixes for Azure services. If any of these rules or tags allow traffic on port 80, it will bypass the deny rule.
- Determine if there are any virtual network appliances or other network devices that might be bypassing the NSG. Some appliances might have their own routing or filtering mechanisms that could override NSG rules Additionally, check for UDRs that might be overriding traffic destined for private endpoints and potentially bypassing NSG rules. UDRs provide a way to customize network traffic routing, and if misconfigured, they can interfere with NSG functionality.
- Analyze network logs for insights into the traffic flow and identify the source of the incoming traffic. Azure Network Watcher provides tools like NSG flow logs, which capture information about traffic flowing through an NSG, and IP flow verify, which helps you determine whether a specific NSG rule is blocking traffic. You can also use Connection Troubleshoot to diagnose connectivity issues between a VM and another endpoint.
- To isolate whether UFW is causing any conflicts with the NSG rules, temporarily disable it on the VM If the traffic stops after disabling UFW, review your UFW rules to ensure they align with your NSG configuration.
- Otherwise temporarily remove all other NSGs and ASGs (if possible) to isolate the issue. Create a single, simple "deny all on port 80" rule at the network interface level. This will help you determine if the problem is with the NSG itself or a conflict.
Kindly let us know if the above helps or you need further assistance on this issue.
-
najla.mazouz@vneuron.com 5 Reputation points
2025-02-13T19:00:09.2333333+00:00 Hi,
Thank you for your detailed response.
I have verified that the only Network Security Group is the one applied directly to the VM, and no other NSGs are present at the subnet level. The NSG is configured to allow only ports 443 and 8443, with all other traffic implicitly denied by default.
besides the NSG diagnostics confirm that DenyAllInBound is deniedAdditionally, I have Packetbeat running inside the VM, which shows packets arriving on port 80, but they are being blocked by UFW. This traffic should not reach the VM in the first place, as the NSG default deny rule should have blocked it.
Also please note that it is impossible for me to send requests on this port 80 unless I whitelist my IP, as it is blocked by the NSG. However, I am seeing successful attempts to bypass the NSG from malicious IPs.
I appreciate your help in understanding this behavior.
Thank you.
Sign in to comment
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more