PesalaPavan
commented
4 months ago @bandwiches Thanks for your feedback! We will investigate and update as appropriate.
Closed bandwiches closed 3 months ago
PesalaPavan
commented
4 months ago @bandwiches Thanks for your feedback! We will investigate and update as appropriate.
SaibabaBalapur-MSFT
commented
3 months ago @bandwiches The ports that are always open on a Virtual Network Gateway are required for Azure infrastructure communication. These ports are protected by Azure certificates and are periodically scanned by Azure security audit. Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints. The specific ports that are opened on a Virtual Network Gateway are not publicly disclosed for security reasons.
I'd recommend working closer with our support team via an Azure support request. Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.Teams Q&A forum for technical questions about the configuration and administration of Microsoft Teams on Windows.Microsoft Teams Community forum
bandwiches
commented
3 months ago These ports are protected by Azure certificates and are periodically scanned by Azure security audit. Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints.
Pretty bold statement to make right before the next sentence:
The specific ports that are opened on a Virtual Network Gateway are not publicly disclosed for security reasons.
@SaibabaBalapur-MSFT If the endpoints are both public and secure, I guess I don't grasp why they can't be publicly disclosed? This sounds like security through obscurity except the ports can be scanned publicly, so it's not really a secret nor effective. I was just hoping for some official documentation. Nevertheless, thanks for your response.
SaibabaBalapur-MSFT
commented
3 months ago @bandwiches Thanks so much for pointing this out. I've check with our internal team and work for this issue, which we'll track and resolve internally.
Recently discovered that certain traffic is always allowed via VPN Gateway (onPrem to AKS API over tcp/443 for example) while other traffic (DNS Resolver to onPrem via tcp/53) is denied. Lots of investigating finally led me to this Reddit post describing the exact symptoms.
Further investigation led me to this heading "Why are certain ports opened on my Virtual Network Gateway?" in the VPN Gateway FAQ. My infosec team would love to know (A) what ports are "always open" and (B) why? Documentation is vague at best and very well hidden!
Thanks
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.