แก้ไข

แชร์ผ่าน


Diagnose network security rules

In this article, you learn how to use Azure Network Watcher NSG diagnostics to check and troubleshoot security rules applied to your Azure traffic through network security groups and Azure Virtual Network Manager. NSG diagnostics checks if the traffic is allowed or denied by applied security rules.

The example in this article shows you how a misconfigured network security group can prevent you from using Azure Bastion to connect to a virtual machine.

Prerequisites

Create a virtual network and a Bastion host

In this section, you create a virtual network with two subnets and an Azure Bastion host. The first subnet is used for the virtual machine, and the second subnet is used for the Bastion host. You also create a network security group and apply it to the first subnet.

  1. In the search box at the top of the portal, enter virtual networks. Select Virtual networks from the search results.

    Screenshot shows how to search for virtual networks in the Azure portal.

  2. Select + Create. In Create virtual network, enter or select the following values in the Basics tab:

    Setting Value
    Project Details
    Subscription Select your Azure subscription.
    Resource Group Select Create new.
    Enter myResourceGroup in Name.
    Select OK.
    Instance details
    Virtual network name Enter myVNet.
    Region Select (US) East US.
  3. Select the Security tab, or select the Next button at the bottom of the page.

  4. Under Azure Bastion, select Enable Azure Bastion and accept the default values:

    Setting Value
    Azure Bastion host name myVNet-Bastion.
    Azure Bastion public IP Address (New) myVNet-bastion-publicIpAddress.
  5. Select the IP Addresses tab, or select Next button at the bottom of the page.

  6. Accept the default IP address space 10.0.0.0/16 and edit the default subnet by selecting the pencil icon. In the Edit subnet page, enter the following values:

    Setting Value
    Subnet details
    Name Enter mySubnet.
    Security
    Network security group Select Create new.
    Enter mySubnet-nsg in Name.
    Select OK.
  7. Select the Review + create.

  8. Review the settings, and then select Create.

Important

Hourly pricing starts from the moment Bastion host is deployed, regardless of outbound data usage. For more information, see Pricing. We recommend that you delete this resource once you've finished using it.

Create a virtual machine

In this section, you create a virtual machine and a network security group applied to its network interface.

  1. In the search box at the top of the portal, enter virtual machines. Select Virtual machines from the search results.

  2. Select + Create and then select Azure virtual machine.

  3. In Create a virtual machine, enter or select the following values in the Basics tab:

    Setting Value
    Project Details
    Subscription Select your Azure subscription.
    Resource Group Select myResourceGroup.
    Instance details
    Virtual machine name Enter myVM.
    Region Select (US) East US.
    Availability Options Select No infrastructure redundancy required.
    Security type Select Standard.
    Image Select Windows Server 2022 Datacenter: Azure Edition - x64 Gen2.
    Size Choose a size or leave the default setting.
    Administrator account
    Username Enter a username.
    Password Enter a password.
    Confirm password Reenter password.
  4. Select the Networking tab, or select Next: Disks, then Next: Networking.

  5. In the Networking tab, select the following values:

    Setting Value
    Network interface
    Virtual network Select myVNet.
    Subnet Select default.
    Public IP Select None.
    NIC network security group Select Basic.
    Public inbound ports Select None.
  6. Select Review + create.

  7. Review the settings, and then select Create.

Add a security rule to the network security group

In this section, you add a security rule to the network security group associated with the network interface of myVM. The rule denies any inbound traffic from the virtual network.

  1. In the search box at the top of the portal, enter network security groups. Select Network security groups from the search results.

  2. From the list of network security groups, select myVM-nsg.

  3. Under Settings, select Inbound security rules.

  4. Select + Add. In the Networking tab, enter or select the following values:

    Setting Value
    Source Select Service Tag.
    Source service tag Select VirtualNetwork.
    Source port ranges Enter *.
    Destination Select Any.
    Service Select Custom.
    Destination port ranges Enter *.
    Protocol Select Any.
    Action Select Deny.
    Priority Enter 1000.
    Name Enter DenyVnetInBound.
  5. Select Add.

    Screenshot shows how to add an inbound security rule to the network security group in the Azure portal.

Note

The VirtualNetwork service tag represents the address space of the virtual network, all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. For more information, see Service tags.

Check security rules applied to a virtual machine traffic

Use NSG diagnostics to check the security rules applied to the traffic originated from the Bastion subnet to the virtual machine.

  1. In the search box at the top of the portal, search for and select Network Watcher.

  2. Under Network diagnostic tools, select NSG diagnostics.

  3. On the NSG diagnostics page, enter or select the following values:

    Setting Value
    Target resource
    Target resource type Select Virtual machine.
    Virtual machine Select myVM virtual machine.
    Traffic details
    Protocol Select TCP. Other available options are: Any, UDP and ICMP.
    Direction Select Inbound. Other available option is: Outbound.
    Source type Select IPv4 address/CIDR. Other available option is: Service Tag.
    IPv4 address/CIDR Enter 10.0.1.0/26, which is the IP address range of the Bastion subnet. Acceptable values are: single IP address, multiple IP addresses, single IP prefix, multiple IP prefixes.
    Destination IP address Leave the default of 10.0.0.4, which is the IP address of myVM.
    Destination port Enter * to include all ports.

    Screenshot showing required values for NSG diagnostics to test inbound connections to a virtual machine in the Azure portal.

  4. Select Run NSG diagnostics to run the test. Once NSG diagnostics completes checking all security rules, it displays the result.

    Screenshot showing the result of inbound connections to the virtual machine as Denied.

    The result shows that there are three security rules assessed for the inbound connection from the Bastion subnet:

    • GlobalRules: this security admin rule is applied at the virtual network level using Azure Virtual Network Manage. The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
    • mySubnet-nsg: this network security group is applied at the subnet level (subnet of the virtual machine). The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
    • myVM-nsg: this network security group is applied at the network interface (NIC) level. The rule denies inbound TCP traffic from the Bastion subnet to the virtual machine.
  5. Select View details of myVM-nsg to see details about the security rules that this network security group has and which rule is denying the traffic.

    Screenshot showing the details of the network security group that denied the traffic to the virtual machine.

    In myVM-nsg network security group, the security rule DenyVnetInBound denies any traffic coming from the address space of VirtualNetwork service tag to the virtual machine. The Bastion host uses IP addresses from the address range: 10.0.1.0/26, which is included in VirtualNetwork service tag, to connect to the virtual machine. Therefore, the connection from the Bastion host is denied by the DenyVnetInBound security rule.

Add a security rule to allow traffic from the Bastion subnet

To connect to myVM using Azure Bastion, traffic from the Bastion subnet must be allowed by the network security group. To allow traffic from 10.0.1.0/26, add a security rule with a higher priority (lower priority number) than DenyVnetInBound rule or edit the DenyVnetInBound rule to allow traffic from the Bastion subnet.

You can add the security rule to the network security group from the Network Watcher page that showed you the details about the security rule denying the traffic to the virtual machine.

  1. To add the security rule from within Network Watcher, select + Add security rule, and then enter or select the following values:

    Setting Value
    Source Select IP Addresses.
    Source IP addresses/CIDR ranges Enter 10.0.1.0/26, which is the IP address range of the Bastion subnet.
    Source port ranges Enter *.
    Destination Select Any.
    Service Select Custom.
    Destination port ranges Enter *.
    Protocol Select Any.
    Action Select Allow.
    Priority Enter 900, which is higher priority than 1000 used for DenyVnetInBound rule.
    Name Enter AllowBastionConnections.

    Screenshot showing how to add a new security rule to the network security group to allow the traffic to the virtual machine from the Bastion subnet.

  2. Select Recheck to run the diagnostic session again. The diagnostic session should now show that the traffic from the Bastion subnet is allowed.

    Screenshot showing the details of the network security group after adding a security rule that allows the traffic to the virtual machine from the Bastion subnet.

    The security rule AllowBastionConnections allows the traffic from any IP address in 10.0.1.0/26 to the virtual machine. Because the Bastion host uses IP addresses from 10.0.1.0/26, its connection to the virtual machine is allowed by the AllowBastionConnections security rule.

Clean up resources

When no longer needed, delete the resource group and all of the resources it contains:

  1. In the search box at the top of the portal, enter myResourceGroup. Select myResourceGroup from the search results.

  2. Select Delete resource group.

  3. In Delete a resource group, enter myResourceGroup, and then select Delete.

  4. Select Delete to confirm the deletion of the resource group and all its resources.