Hey everyone,
I'm a bit puzzled by something I'm testing with my Azure configuration. I've set up a hub-and-spoke architecture with two peered VNets. The hub VNet has a third-party firewall that uses IPSec to connect to a branch location.
There's a VM in the spoke VNet that has a Network Security Group (NSG) applied to its subnet. The NSG is set with default rules:
- AllowVnetInBound
- AllowAZLoadBalancer
- DenyAllInBound
Here's the confusing part: despite these default rules, a user from the branch site can still RDP into the VM! My understanding was that the default rules should only allow traffic from virtual networks or those that are peered, meaning the branch site's traffic should need an explicit inbound rule since it's not part of a VNet and Azure shouldn't recognize those remote address spaces. There's no VPN gateway connectivity either, so I wouldn't expect any prefixes from the branch site to be seen as 'VNet' traffic.
Am I missing something here? Also, just for clarity, the NSG is applied to the spoke VNet, not to the VM's NIC directly.
1 Answer
It seems like a common point of confusion! If you have a 0.0.0.0/0 route in your User Defined Routes (UDR) to your subnet, the VirtualNetwork service tag gets augmented, allowing all traffic in, including from outside.
So, that's why your branch site user can RDP in despite your NSG rules. It's definitely not intuitive, but it happens!
Thanks for clarifying! That makes a lot of sense now.