Whitelisting specific IP Addressess with Azure Network Security Groups

Question

I'm trying to restrict access to endpoints on my virtual machine only to specific external IP addresses. Having looked into it I found that a Network Security Group on Azure may be appropriate. I created a network security group and attached it to the subnet of my Virtual Network.

I then created these two rules which I thought should only allow access by one specified IP address:

The rules are below:

 - Source: IP Addresses
 - Source IP address range: *
 - Source port range: *
 - Destination: *
 - Destination port range: *
 - Protocol: Any
 - Action Deny
 - Priority: 1000
 - Name: Deny-All

---

 - Source: IP Addresses
 - Source IP Address Range: XX.XXX.XXX.XX
 - Source Port Range: *
 - Destination: Any
 - Destination Port Range: *
 - Protocol: Any
 - Action: Allow
 - Priority: 700
 - Name: Allow-Specific

However when I try to access the endpoint from the specified IP address I appear to be blocked. Does anyone know if I have forgotten a step or done something wrong. The NSG is blocking access but I can't seem to get the white list working.

I have checked the NSG logs but unfortunately I am unable to check what the source IP address is. Perhaps it is possible that the source IP address is getting changed somewhere along the pipeline and is changed before it hits the NSG rules.

Answer 1

It seemed to be that the issue with this was in the deny all rule. I did not realize that there was a deny all rule built into NSG already. For some reason when I removed my custom Deny-All rule but left the Allow-Specific I was able to access the endpoint on the whitelisted IP.

I'm not sure why this was the case, if anyone has more feedback I'd be happy to hear it.