Validate NSG flow rules

5.2 Network Traffic Monitoring and Analysis

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is NSG Flow Rule Validation?

NSG (Network Security Group) flow rules control network traffic in Azure. Each NSG has inbound and outbound rules that allow or deny traffic based on:

  • Source IP
  • Destination IP
  • Port
  • Protocol (TCP/UDP)
  • Priority of the rule

Validating NSG flow rules means checking if your rules are working correctly and if traffic is allowed or blocked as expected. This is crucial in Azure environments to maintain security and troubleshoot network issues.

2. Why Validate NSG Flow Rules?

Validation helps in:

  • Confirming network security – ensures only the required traffic is allowed.
  • Troubleshooting connectivity issues – explains why a VM cannot reach a database or another VM.
  • Audit and compliance – proves security rules are working for internal audits.

3. Azure Tools to Validate NSG Flow Rules

Azure provides multiple tools to check if your NSG rules are working properly:

A. Network Watcher – IP Flow Verify

  • A tool in Azure Network Watcher.
  • Validates whether a specific traffic flow is allowed or denied by NSG.
  • Checks the actual effect of NSG rules.

How it works:

  1. Specify:
    • Source IP
    • Destination IP
    • Protocol (TCP/UDP)
    • Destination port
  2. Azure evaluates the NSG rules.
  3. Returns Allowed or Denied, and tells which rule caused this.

Example:

  • Source VM: 10.0.0.4
  • Destination VM: 10.0.0.5
  • Protocol: TCP, Port: 443

Result: Allowed by NSG rule with priority 100.

This tells you exactly which NSG rule allowed or blocked the traffic.

B. Effective Security Rules

  • Shows all NSG rules applied to a NIC or VM, including inherited rules.
  • Helps you see the combined effect of multiple NSGs if more than one applies.

How to use:

  1. Go to the VM’s NIC in the Azure portal.
  2. Click Effective Security Rules.
  3. Review all inbound and outbound rules affecting that NIC.

This is useful when multiple NSGs or ASGs are applied, and you want to see the net effect.

C. Connection Troubleshoot

  • Part of Network Watcher.
  • Checks connectivity between two endpoints.
  • Helps confirm if NSG rules or route tables are causing connectivity failures.

How it works:

  1. Enter source VM and destination VM/IP.
  2. Specify port.
  3. Azure tells you success/failure and reason (blocked by NSG, no route, etc.).

4. Steps to Validate NSG Flow Rules

Here’s a simple process to follow:

  1. Identify the traffic you want to validate.
    • Example: Can VM-A reach VM-B on port 22 (SSH)?
  2. Use IP Flow Verify to check if NSG allows or denies the traffic.
  3. Check Effective Security Rules if traffic is blocked unexpectedly.
    • Confirms which NSG rule is causing the block.
  4. Use Connection Troubleshoot if you need more details about connectivity failure.
  5. Fix NSG rules if needed:
    • Change priority (lower number = higher priority)
    • Adjust source/destination IP ranges or ports

5. Important Exam Points

  • IP Flow Verify:
    • Returns Allowed or Denied
    • Shows rule name, direction, and priority
  • Effective Security Rules:
    • Shows all applied NSG rules to a VM or NIC
  • Connection Troubleshoot:
    • Explains if connectivity issues are caused by NSG, route tables, or other factors
  • NSG Rule Evaluation Order:
    1. Higher priority rules are applied first (lowest number = highest priority)
    2. Default rules exist in every NSG:
      • AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInbound, AllowVNetOutbound, AllowInternetOutbound, DenyAllOutbound

For the exam, always remember that Azure applies priority and default rules before custom rules.

6. Exam Tips

  • If a question asks: “Why did VM-A fail to connect to VM-B on port 1433?”, think:
    1. Check IP Flow Verify
    2. Check Effective Security Rules
    3. Check Connection Troubleshoot
  • Remember that denied traffic can be caused by either custom NSG rules or default deny rules.
  • Know how to use Azure portal or CLI commands to validate NSG flow rules.

7. Example Scenario for IT Environment

  • VM-A (web server) needs to communicate with VM-B (database server) on port 1433 (SQL).
  • NSG applied to VM-B denies inbound port 1433.
  • IP Flow Verify confirms Denied.
  • Effective Security Rules show a custom NSG rule blocking TCP 1433.
  • Admin updates NSG to allow TCP 1433 from VM-A’s subnet.
  • Validation now shows Allowed.

This demonstrates real-life IT validation using NSG flow rules.

Summary:

  1. Validation ensures security and connectivity work as intended.
  2. Tools to validate:
    • IP Flow Verify → checks if traffic is allowed/denied
    • Effective Security Rules → shows combined rules
    • Connection Troubleshoot → checks real connectivity
  3. Key concepts:
    • NSG rule priority
    • Default NSG rules
    • Troubleshooting blocked traffic
  4. Always check direction, source, destination, port, protocol, and priority.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by