PesalaPavan
commented
2 weeks ago @carlos-quintero Thanks for your feedback! We will investigate and update as appropriate.
Open carlos-quintero opened 2 weeks ago
PesalaPavan
commented
2 weeks ago @carlos-quintero Thanks for your feedback! We will investigate and update as appropriate.
ManoharLakkoju-MSFT
commented
1 week ago @carlos-quintero Thank you for bringing this to our attention. I've delegated this to content author @asudbring, who will review it and offer their insightful opinions.
The page "How network security groups filter network traffic", section "Inbound traffic" (https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic) states:
"VM4: Traffic is blocked to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them."
That information is in contradiction with these other four resources that state that if a VM with a public IP
1) Is in a subnet without a network security group
and:
2) It's network interface card doesn't have a network security group either
then:
All inbound traffic is allowed in all ports (not blocked):
1) Diagnose a virtual machine network traffic filter problem https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem "If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere. If the VM has a public IP address, we recommend applying an NSG to the subnet the network interface."
2) How network security groups filter network traffic https://learn.microsoft.com/en-us/training/modules/filter-network-traffic-network-security-group-using-azure-portal/4-create-network-security-group "VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet 3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them."
3) Determine network security group effective rules https://learn.microsoft.com/en-us/training/modules/configure-network-security-groups/4-determine-network-security-groups-effective-rules "VM 4: Subnet 3: none, NIC: none Azure default rules apply to both subnet and NIC and all inbound traffic is allowed"
4) The Azure Portal, when you create a VM with NIC network security group: None "All ports on this virtual machine may be exposed to the public internet. This is a security risk. Use a network security group to limit public access to specific ports. You can also select a subnet that already has network security groups defined or remove the public IP address."
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.