Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contradictory information #122231

Open
carlos-quintero opened this issue May 4, 2024 · 2 comments
Open

Contradictory information #122231

carlos-quintero opened this issue May 4, 2024 · 2 comments
Assignees
@asudbring
Labels
assigned-to-author docs-experience Pri1 triaged virtual-network/svc

Comments

@carlos-quintero
Copy link

The page "How network security groups filter network traffic", section "Inbound traffic" (https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic) states:

"VM4: Traffic is blocked to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them."

That information is in contradiction with these other four resources that state that if a VM with a public IP

  1. Is in a subnet without a network security group

and:

  1. It's network interface card doesn't have a network security group either

then:

All inbound traffic is allowed in all ports (not blocked):

  1. Diagnose a virtual machine network traffic filter problem
    https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem
    "If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere. If the VM has a public IP address, we recommend applying an NSG to the subnet the network interface."

  2. How network security groups filter network traffic
    https://learn.microsoft.com/en-us/training/modules/filter-network-traffic-network-security-group-using-azure-portal/4-create-network-security-group
    "VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet 3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them."

  3. Determine network security group effective rules
    https://learn.microsoft.com/en-us/training/modules/configure-network-security-groups/4-determine-network-security-groups-effective-rules
    "VM 4: Subnet 3: none, NIC: none Azure default rules apply to both subnet and NIC and all inbound traffic is allowed"

  4. The Azure Portal, when you create a VM with NIC network security group: None
    "All ports on this virtual machine may be exposed to the public internet. This is a security risk. Use a network security group to limit public access to specific ports. You can also select a subnet that already has network security groups defined or remove the public IP address."

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@PesalaPavan
Copy link
Contributor

@carlos-quintero
Thanks for your feedback! We will investigate and update as appropriate.

@ManoharLakkoju-MSFT
Copy link
Contributor

@carlos-quintero
Thank you for bringing this to our attention.
I've delegated this to content author @asudbring, who will review it and offer their insightful opinions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asudbring asudbring

Labels
assigned-to-author docs-experience Pri1 triaged virtual-network/svc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carlos-quintero @asudbring @ManoharLakkoju-MSFT @PesalaPavan