NSGs - Evaluate

🎯 Lab Objective

In this hands-on lab, you will learn how to:

• Evaluate effective NSG rules and understand rule precedence
• Use Azure Network Watcher for connectivity troubleshooting
• Diagnose NSG-related connectivity issues using built-in tools
• Implement proper NSG rule fixes to restore connectivity
• Understand NSG rule evaluation logic and traffic flow

Scenario: You are unable to connect from FrontendVM to BackendVM over port 80 (HTTP). Your task is to investigate and fix the issue using NSG rule evaluation and diagnostics.

---

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed with intentional misconfigurations:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	NSG-Eval-Lab	Contains all lab resources	Logical container
Virtual Network	EvalVNet	Address space: 10.0.0.0/16	Network foundation
Frontend Subnet	FrontendSubnet	Range: 10.0.1.0/24	Web tier network
Backend Subnet	BackendSubnet	Range: 10.0.2.0/24	App tier network
Frontend VM	FrontendVM	Windows Server 2019	Client VM
Backend VM	BackendVM	Ubuntu with web server	Target VM
Frontend NSG	Frontend-NSG	Misconfigured	Frontend protection
Backend NSG	Backend-NSG	Misconfigured	Backend protection

Network Architecture

EvalVNet (10.0.0.0/16)
├── FrontendSubnet (10.0.1.0/24)
│   └── FrontendVM (Windows Server)
│       └── Frontend-NSG (❌ Blocking traffic)
└── BackendSubnet (10.0.2.0/24)
    └── BackendVM (Ubuntu + Apache)
        └── Backend-NSG (❌ Blocking traffic)

VM Details

VM	Private IP	Operating System	Role
FrontendVM	10.0.1.4	Windows Server 2019	HTTP client
BackendVM	10.0.2.4	Ubuntu 20.04 + Apache	Web server

---

🚀 Lab Tasks

Task 1: Verify Connectivity Issue

Step 1: Connect to Frontend VM

1. Navigate to NSG-Eval-Lab resource group
2. Click on FrontendVM
3. Click Connect → RDP
4. Use the following credentials:
   • Username: azureuser
   • Password: LabPassword123!

Step 2: Test Web Server Connectivity

Once connected to FrontendVM, open Command Prompt and run:

# Test HTTP connectivity to BackendVM
curl http://10.0.2.4

# Alternative: Use PowerShell
powershell -Command "Invoke-WebRequest -Uri http://10.0.2.4 -TimeoutSec 10"

# Test basic network connectivity
ping 10.0.2.4

# Test port connectivity
telnet 10.0.2.4 80

Step 3: Document the Issue

Expected Behavior:

• ❌ HTTP connection should fail or timeout
• ❌ Ping may fail depending on ICMP rules
• ❌ Telnet to port 80 should fail

📝 Note: Record the specific error messages you receive for later analysis.

---

Task 2: Inspect NSG Rules

Step 1: Examine Backend NSG Rules

1. Navigate to Backend-NSG
2. Click Inbound security rules
3. Analyze the rules:

Rule Name	Priority	Source	Port	Action	Issue?
Default rules	65000+	Various	Various	Allow/Deny	Check for blocks
Custom rules	< 4096	Check source	Check port 80	Check action	Look for problems

Step 2: Check Rule Details

For each custom rule, verify:

• Source: Does it allow traffic from 10.0.1.0/24 (FrontendSubnet)?
• Destination Port: Is port 80 explicitly allowed?
• Action: Is the action set to Allow?
• Priority: Are there conflicting rules with higher priority?

Step 3: Examine Frontend NSG Rules

1. Navigate to Frontend-NSG
2. Click Outbound security rules
3. Look for blocking rules:

Rule Analysis	Check For	Expected Value
Destination	BackendSubnet range	10.0.2.0/24
Port	HTTP traffic	80 or Any
Action	Traffic permission	Allow
Priority	Rule conflicts	Lower number = higher priority

---

Task 3: Use Azure Network Watcher Diagnostics

Step 1: Access Network Watcher

1. In Azure Portal, search for “Network Watcher”
2. Select Network Watcher service
3. Ensure it’s enabled in your region

Step 2: Run Connection Troubleshoot

1. Click Connection troubleshoot in the left menu
2. Configure the test:

Setting	Value	Purpose
Subscription	Your subscription	Target subscription
Resource Group	NSG-Eval-Lab	Lab resources
Source type	Virtual machine	Test source
Virtual machine	FrontendVM	Source VM
Destination	Specify manually	Custom target
URI, FQDN or IPv4	10.0.2.4	BackendVM IP
Protocol	TCP	HTTP protocol
Destination Port	80	HTTP port

3. Click Check

Step 3: Analyze Results

Review the diagnostic output:

Result Type	Meaning	Action Required
Reachable	Connection successful	No action needed
Unreachable	Connection blocked	Check blocking component
Unknown	Indeterminate result	Re-run test

Step 4: Examine Hop Details

1. Click on View details for each hop
2. Look for NSG evaluation results:
   • Which NSG is blocking traffic?
   • Which specific rule is causing the block?
   • What’s the rule priority and action?

---

Task 4: Use Effective Security Rules

Step 1: View Effective Rules for Backend VM

1. Navigate to BackendVM
2. Click Networking in the left menu
3. Click Effective security rules

Step 2: Analyze Inbound Rules

Look for rules affecting port 80:

Priority	Name	Source	Port	Action	Evaluation
Lower #	Rule name	IP range	80	Allow/Deny	Blocking traffic?

Step 3: Identify the Problem Rule

Common issues to look for:

• Deny rule with higher priority than allow rule
• Source restriction not including FrontendSubnet
• Port restriction not including port 80
• Missing allow rule for the required traffic

---

Task 5: Fix NSG Configuration

Step 1: Fix Backend NSG (Most Likely Issue)

1. Navigate to Backend-NSG
2. Click Inbound security rules
3. Option A: Modify existing rule
   • Find the problematic rule
   • Click on the rule name
   • Correct the configuration:

Setting	Correct Value	Purpose
Source	10.0.1.0/24 or VirtualNetwork	Allow Frontend subnet
Destination port ranges	80	HTTP traffic
Action	Allow	Permit traffic

4. Option B: Create new rule
   • Click + Add
   • Configure proper rule:

Setting	Value	Purpose
Source	IP Addresses	Specific source
Source IP addresses	10.0.1.0/24	Frontend subnet
Destination port ranges	80	HTTP port
Protocol	TCP	HTTP protocol
Action	Allow	Permit traffic
Priority	100	High priority
Name	Allow-HTTP-Frontend	Descriptive name

5. Click Add

Step 2: Fix Frontend NSG (If Required)

1. Navigate to Frontend-NSG
2. Click Outbound security rules
3. If needed, add or modify rule:

Setting	Value	Purpose
Destination	IP Addresses	Specific destination
Destination IP addresses	10.0.2.0/24	Backend subnet
Destination port ranges	80	HTTP traffic
Action	Allow	Permit traffic
Priority	100	High priority
Name	Allow-HTTP-Backend	Descriptive name

---

Task 6: Validate the Fix

Step 1: Test Connectivity Again

Return to FrontendVM and test:

# Test HTTP connectivity
curl http://10.0.2.4

# Test with PowerShell for detailed output
powershell -Command "Invoke-WebRequest -Uri http://10.0.2.4"

# Test port connectivity
telnet 10.0.2.4 80

Expected Results:

• ✅ HTTP connection should succeed
• ✅ Should receive web page content
• ✅ Port 80 should be reachable

Step 2: Re-run Network Watcher Test

1. Return to Network Watcher → Connection troubleshoot
2. Re-run the same test configuration
3. Verify: Result should now show Reachable

Step 3: Verify Effective Rules

1. Go back to BackendVM → Networking → Effective security rules
2. Confirm: Your new allow rule appears with correct priority
3. Check: No higher-priority deny rules are blocking traffic

---

🔧 Troubleshooting Guide

Common NSG Issues and Solutions

Issue	Symptoms	Solution
Deny rule higher priority	Traffic blocked despite allow rule	Lower the allow rule priority number
Wrong source IP range	Specific IPs blocked	Update source to include correct IP range
Missing port in rule	Specific port blocked	Add required port to destination port ranges
Outbound rule blocking	Return traffic fails	Check outbound rules on source NSG
Default rule conflict	Unexpected behavior	Add explicit rules with higher priority

NSG Rule Evaluation Logic

1. Process inbound rules by priority (lowest number first)
2. First matching rule determines action (Allow or Deny)
3. If no custom rules match, default rules apply
4. Stateful connection - return traffic automatically allowed

Network Watcher Diagnostic Codes

Status	Meaning	Next Steps
Reachable	Connection successful	No action needed
Unreachable	NSG or firewall blocking	Check NSG rules and VM firewall
DNS resolution failed	Name resolution issue	Check DNS configuration
Timeout	Network or application timeout	Check application and network latency

---

🧪 Additional Experiments

Try these optional exercises to deepen your understanding:

1. Priority Testing: Create conflicting rules with different priorities
2. Service Tags: Use service tags instead of IP addresses
3. Application Security Groups: Implement ASGs for more granular control
4. Flow Logs: Enable and analyze NSG flow logs
5. Multiple NSGs: Test with NSGs on both subnet and NIC levels

---

🎓 Key Takeaways

After completing this lab, you should understand:

• NSG rule evaluation follows priority order (lowest number first)
• Network Watcher provides powerful diagnostics for connectivity issues
• Effective security rules show the combined result of all NSG rules
• Stateful filtering allows return traffic automatically
• Both inbound and outbound rules can affect connectivity
• Default rules provide baseline connectivity within VNets

---

📊 NSG Troubleshooting Methodology

Systematic Approach

1. Verify symptoms - Test actual connectivity
2. Check NSG rules - Review source, destination, ports
3. Use diagnostics - Leverage Network Watcher tools
4. Analyze effective rules - Understand combined rule effects
5. Implement fixes - Modify or add appropriate rules
6. Validate resolution - Re-test connectivity

Best Practices for NSG Rules

• Use descriptive names for easy identification
• Set appropriate priorities to avoid conflicts
• Document rule purposes in descriptions
• Test changes in non-production first
• Monitor with flow logs for ongoing analysis

---

📚 Additional Resources

• NSG Rule Evaluation
• Network Watcher Connection Troubleshoot
• Effective Security Rules
• NSG Flow Logs