Troubleshooting Network Security Groups (NSGs)

Network Security Groups (NSGs) act as a virtual firewall for your Azure resources to filter network traffic. They contain a list of security rules that allow or deny inbound network traffic to resources, as well as traffic that is sent to other destinations. NSGs can be associated with network interfaces (NICs) or subnets.

Note: Incorrectly configured NSG rules are a common cause of network connectivity issues. This article provides a systematic approach to troubleshooting these problems.

Common NSG Troubleshooting Scenarios

Here are some typical scenarios that might require NSG troubleshooting:

Inability to connect to a virtual machine (VM) from on-premises or the internet.
Inability for a VM to connect to another VM or an external service.
Application running on a VM is unresponsive.
Traffic not reaching its intended destination.

Troubleshooting Steps

Follow these steps to diagnose and resolve NSG-related issues:

1. Verify NSG Association

Ensure the NSG is correctly associated with the relevant network interface (NIC) or subnet of the resource experiencing the issue.

Navigate to the resource (e.g., VM or Subnet) in the Azure portal.
Check the "Networking" or "Network Security Group" section to confirm associations.
If an NSG is associated with both the NIC and the subnet, remember that rules are processed in a specific order.

2. Review Effective Security Rules

The "Effective security rules" view in the Azure portal consolidates all NSG rules applied to a specific NIC, taking into account rules from both the subnet and the NIC, as well as any applied Network Virtual Appliances (NVAs).

Go to the Network Interface card (NIC) of the affected resource.
Under "Settings", select "Effective security rules".
Filter by direction (Inbound/Outbound), protocol, and port to identify any conflicting or blocking rules.

3. Check Rule Priority and Type

NSG rules are processed based on their priority, with lower numbers having higher priority. Security rules are evaluated in the following order:

Deny AllInbound (default rule with priority 65500)
User-defined Deny rules (lowest number to highest)
User-defined Allow rules (lowest number to highest)
Allow VNetInBound (default rule with priority 65000)
Allow AzureLoadBalancerInBound (default rule with priority 65001)

Similarly for outbound traffic, though the default rules differ slightly.

Ensure your Allow rules have a higher priority (lower number) than any conflicting Deny rules.
Be aware that the DenyAllInbound and DenyAllOutbound rules are the last to be evaluated and cannot be removed.

4. Examine Rule Configuration Details

Carefully inspect the parameters of your relevant NSG rules:

Source/Destination IP Addresses: Ensure they accurately reflect the expected traffic. Use service tags (e.g., VirtualNetwork, Internet) or specific IP ranges.
Source/Destination Port Ranges: Verify that the correct ports are allowed or denied. Common ports include 80 (HTTP), 443 (HTTPS), 22 (SSH), 3389 (RDP).
Protocol: Make sure the protocol (TCP, UDP, ICMP, Any) matches the traffic you are trying to allow or deny.
Action: Confirm whether the rule is set to Allow or Deny.

Tip: When troubleshooting connectivity to specific applications, remember to allow inbound traffic on the application's listening port. For example, if your web server listens on port 8080, you need an NSG rule to allow TCP traffic on port 8080.

5. Utilize Network Watcher's Connection Troubleshoot Feature

Azure Network Watcher provides powerful tools for diagnosing network issues.

Navigate to Network Watcher in the Azure portal.
Select Connection troubleshoot.
Specify the source VM, destination IP address, and destination port.
The tool will simulate traffic flow and indicate whether NSG rules are blocking the connection, providing details about which rule is causing the block.

6. Leverage Network Security Group Flow Logs

NSG Flow Logs record information about IP traffic flowing through an NSG. This can help you identify traffic patterns and potential issues.

Enable NSG Flow Logs for the relevant NSG.
Analyze the logs to understand the source, destination, port, protocol, and whether traffic was allowed or denied.
Tools like Azure Log Analytics can be used to query and visualize these logs effectively.

7. Consider Network Virtual Appliances (NVAs)

If you are using NVAs (like Azure Firewall or third-party firewalls), remember that NSG rules can interact with them. Traffic might be processed by both NSGs and NVAs. Ensure your NVA policies are also correctly configured and that NSG rules allow traffic to flow to and from the NVA.

Warning: Denying traffic from the Internet or AzureLoadBalancer service tags can inadvertently block essential management traffic. Use these tags with caution.

Troubleshooting Common Errors

Port Blocking: The most frequent issue is denying the required port in inbound or outbound rules. Double-check your port numbers.
IP Address Mismatch: Incorrect source or destination IP addresses in rules will cause traffic to be blocked or misrouted.
Rule Order Issues: A broad deny rule with a higher priority (lower number) can block traffic that a more specific allow rule is intended for.
Subnet vs. NIC Rules: If rules are applied at both the subnet and NIC level, ensure their combined effect allows the desired traffic.

By systematically following these steps and utilizing Azure's built-in tools, you can effectively troubleshoot and resolve most Network Security Group related connectivity issues.