Inbound Traffic - Network Security Groups | Azure Course | Intellipaat


If there is a network security group associated with a subnet, Azure executes the rules in that group first before processing the criteria in a network security people affiliated with a network interface.

 Traffic within a single subnet is also included.

  • NSG1's security rules are applied to VM1 because VM1 is located in Subnet1 and NSG1 is connected to Subnet1. Port 80 inbound traffic is always blocked by the DenyAllInbound default security rule, as NSG2 is linked to the network interface, unless you've added a rule that permits it.If NSG1 has a security rule that accepts port 80, NSG2 handles the traffic. In order for port 80 to the virtual machine, NSG1 and NSG2 must both have such a rule that enables port 80 from the internet.

  • VM2: Because VM2 is a part of Subnet1, the rules in NSG1 are applied to it. Since VM2 doesn't have a network security group connected to its network interface, it either gets or is refused all traffic that NSG1 has authorized. When a network security group is linked to a subnet, traffic is either permitted or forbidden to all resources in the same subnet.
  • VM3: Since NSG2 is linked to the network interface connected to VM3, traffic is allowed into Subnet2 and processed by it even though NSG2 is not associated with Subnet2.
  • VM4: Traffic to VM4 is permitted since a network security group isn't linked to Subnet3 or the virtual machine's network interface. If a subnet and network interface do not have a network security group attached to them, all network traffic is permitted through them.

Gautam Sharma

6 Blog posts