Azure Load Balancer + NSG Rules - Remove Access Directly

3
votes

I've got a networking question for one of my customers servers in the cloud.

We are using just a standard 2012R2 VM with a few endpoints set up through the NSG Firewall, and we have a LoadBalancer infront of the network with a few ports forwarded to the same VPC.

The reason we are using a load balancer with port forwarding is because I'm finding countless records of bots trying to hit 3389 and 21 with attempts to break in.

So I have tried to change the source setting in the NSG rule to AzureLoadBalancer with the hope that it will only allow access to traffic that has come via the LoadBalancer on the external ports.

But for some reason this is not the case? Is there a proper procedure for restricting traffic to a VM via the NSG from a LoadBalancer?

Any help with this is greatly appreciated.

Thanks

2
azurenetworkingload-balancingazure-virtual-machinenetwork-security-groups

2 Answers

1
votes

The NSG can’t be associated with Load balancer, NSGs can be associated with either subnets or individual VM instances within that subnet, so we can’t use NSG to block inbound IP address from the internet.
To protect the VM (with a public IP), we can deploy Linux VM, use IP tables work as a firewall. Also you can search some third party firewall product in Azure Marketplace.

Update:
To protect your VM, you can use NSG to allow the source IP address range to access your VM. NSG->Add inbound security rule->advanced->source IP address range. enter image description here

0
votes

Looking a the LB troubleshooting doc:

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot

You have:

-Also, check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).

If you create your NSG rule and only allow from 168.63.129.16 you should be set. The Azure load balancer will always come from that address no matter what your frontend IP is.