This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFP%3C/text%3E%3C/svg%3E)
Hi, I am using the Same NSG for 2 subnets, Subnet 1 has VM1, Subnet 2 has VM2. VM2 to VM1 outbound rule is by allowed by default NSG rule. I have created a custom rule which denies packets from VM2 to VM1 over http.
Here are the images of network watcher -
so, does vm2 send packets to vm1 and does vm1 accepts the packets from vm2? please help me understand this.
NO i guess you made role Allowed http 10.0.1.5 to 10.0.0.5 "Subnet"
but traffic blocked 10.0.0.5 to 10.0.1.5 "Subnet"
might be default role still there on 10.0.0.1 Subnet
What you are seeing is correct, and let me explain why.
NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.
Based upon what you have shown above. VM2 can establish a TCP connection on port 80 with VM1, but VM1 cannot establish a TCP connection on port 80 with VM2. When broken down further -> VM2 can view a website hosted on VM1, but VM1 cannot view a website hosted on VM2.
If you would like to block traffic between the VMs, you will need to deny both inbound and outbound traffic between the VMs.