Cannot access websites hosted on Azure VM through VPN

Michael Torbett 0

I have an Azure virtual machine hosting public facing websites that I can access fine on and off network. However, when I login to VPN, those sites are no longer accessible (this website can't be reached). I feel confident that DNS is configured correctly and I cannot see any inbound/outbound rules in the network security group causing this. However I'm not a networking expert. How would I create an inbound/outbound rule to allow vpn access (VPN IP Address: 999.999.999.99) to my websites?

Any other ideas what might be the cause of this issue.

Thank you for your help.

Michael

Bruce (SqlWork.com) 70,376 Reputation points

2025-01-28T21:35:33.8+00:00

VPN networks often have their own outgoing ip block lists.
Ganesh Patapati 3,290 Reputation points Microsoft Vendor

2025-01-28T22:17:27.5066667+00:00
Hi Michael Torbett

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

To allow access to your websites from the VPN IP address, you may need to create inbound and outbound rules in the NSG associated with your Azure VM.

Inbound Rule

Go to the Azure Portal: Navigate to the Azure portal and find your VM.

Network Interface: Click on the network interface associated with your VM.

Network Security Group: Under the "Settings" section, find the "Network security group" linked to the network interface.

Inbound Security Rules: Click on "Inbound security rules."

Add a New Rule:

Click on "+ Add" to create a new inbound rule.

Source: Select "IP Addresses."

Source IP Address: Enter the VPN IP address (e.g., 999.999.999.99).

Source Port Ranges: Leave this as *.

Destination: Select "Any" or specify the IP address of your VM.

Destination Port Ranges: Enter the port your website is using (e.g., 80 for HTTP or 443 for HTTPS).

Protocol: Select "TCP."

Action: Select "Allow."

Priority: Set a priority number (lower numbers have higher priority, e.g., 100).

Name: Give it a descriptive name (e.g., Allow-VPN-Access).

Save: Click "Add" to save the rule.

Refer: Filter network traffic with a network security group

Outbound Rule

Outbound Security Rules: Click on "Outbound security rules."

Add a New Rule:

Click on "+ Add" to create a new outbound rule.

Source: Select "Any."

Source Port Ranges: Leave this as *.

Destination: Select "IP Addresses."

Destination IP Address: Enter the public IP address of your website or leave it as * to allow all.

Destination Port Ranges: Enter the port your website is using (e.g., 80 or 443).

Protocol: Select "TCP."

Action: Select "Allow."

Priority: Set a priority number (e.g., 100).

Name: Give it a descriptive name (e.g., Allow-Outbound-Access).

Save: Click "Add" to save the rule.

How network security groups filter network traffic

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic

make sure to Ping and tracert to test connectivity to the public IP of your VM from the VPN client. This can assist in identifying where the connection is failing.

If your virtual machine is running Windows, please verify the Windows Firewall settings to ensure that inbound traffic is permitted on the required ports.

If above is unclear and/or you are unsure about something add a comment below.

If it was helpful, please click "Upvote and Accept Answer" on his post to let us know.

We are here to assist you, so if you have any further questions, please feel free to ask.

Regards,

Ganesh
Ganesh Patapati 3,290 Reputation points Microsoft Vendor

2025-01-30T00:01:22.2533333+00:00
Hi Michael Torbett

Greetings!

I would like to follow up with the thread.

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

Looking forward to your response and appreciate your time on this.

If it was helpful, please click "Upvote and Accept Answer" on his post to let us know.

We are here to assist you, so if you have any further questions, please feel free to ask.

Regards,

Ganesh
Michael Torbett 0 Reputation points

2025-01-30T13:46:28.83+00:00

Thank you both for the replies! They have been very helpful! Here's where I'm at so far:Bruce, my systems administrator checked our VPNs outgoing block list. My sites are not on the list.

Ganesh, I followed your instructions and setup both inbound and outbound rules on my virtual network. Unfortunately it did not solve the problem. However, it was very helpful! I'm pretty sure this confirms that its not an Azure rule blocking traffic.

My systems administrators are looking at our enterprise firewall system, but so far have not found anything.

I will update you on any progress made.

Michael
Ganesh Patapati 3,290 Reputation points Microsoft Vendor

2025-01-30T19:48:14.8566667+00:00
Hello Michael Torbett

Thanks for the reply,

As there is no issue from the Azure end, I kindly request you to please contact your IT team for assistance in resolving your issue.

Hope this helps!

Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

I appreciate your time and look forward to your response.

1 answer

VIVEK DWIVEDI 105 Reputation points Microsoft Employee

2025-01-30T03:19:32.5333333+00:00
Hi @Michael Torbett ,

Greetings!
Adding a few points.

You don't have to create outbound NSG rule for this scenario. Only NSG inbound rule should suffice your requirement.

There could be a few possible causes here:
a. To verify NSG is not an issue, create an inbound rule as suggested by Ganesh in above comment and keep the source IP as Any (0.0.0.0/0) and destination port as Any (*) Protocol as TCP. Sometimes doing this is not possible if there is a policy that restricts you from allowing the traffic in that case, connect to VPN first. Check what is your public IP and then whitelist it in NSG rule.
Also ensure that this rule has priority 100 and should be above of any deny rule.

b. You can utilize Azure network watcher to check if there is any traffic blocked in Azure.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-troubleshoot-overview
https://learn.microsoft.com/en-us/azure/network-watcher/ip-flow-verify-overview

c. Check the firewall status at the OS level where site is hosted. Try whitelisting the IP address or disabling OS firewall for testing.

d. Possibly your VPN brings any kind of proxy which doesn't have the website allowed. Or VPN is not able to resolve the DNS name of the website. Please post the error screenshot in that case.

I hope this helps.
Please sign in to rate this answer.
Michael Torbett 0 Reputation points

2025-01-30T16:38:12.7233333+00:00

Vivek,

Thank you for your suggestions. I followed your instructions with creating an NSG Inbound rule with destination port as * and source IP as Any (0.0.0.0/0). Unfortunately I'm still unable to access the websites using VPN.

I have tried creating a packet capture through network watcher, but so far it hasn't revealed what the cause is. I will look into running some of the other tools you suggest.

My agency uses an enterprise firewall system and that may be the culprit. So far my system admins haven't found issue, but I'm hopeful.

I will check with my IT staff on whether our VPN uses a proxy but I do not believe so.

I will also check to see if VPN is able to resolve the DNS name of the website.

Thanks again! I will follow up when I have some more information.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Cannot access websites hosted on Azure VM through VPN

1 answer

Your answer