Hey everyone! I'm managing some VMs that need to connect with about 10-20 different on-premise subnets from various office locations. I need to allow access to certain VMs on specific ports while restricting everything else. While I could create rules in a Network Security Group (NSG) for each subnet, it seems like it would get pretty messy and hard to understand for anyone looking at it later. I'm wondering if there's a better way to handle this situation? Would it make sense to use something other than NSGs? Ideally, it would be great to have a way to tag all the office subnets for easy reuse, especially if we ever add more offices in the future.
1 Answer
Using a firewall with IP groups is a popular approach. It allows you to manage access more easily without cluttering your NSG rules. You can check out more on this in the Azure documentation about IP groups.
That definitely sounds like the easiest route! I have run into issues though where the security team wants even stricter control at the NSG level as a backup. Just something to consider, you know?