In an Azure network security group, is denying all traffic before the "AllowVnetInbound" and "AllowAzureLoadBalancerInbound" rules good practice?

Mike Sherrill 'Cat Recall'

10/17/22, 2:09 PM

This set of Azure Network Security Group inbound rules came from a "best practice" blog.

I understand this to mean there isn't any way for any network traffic to pass the "DropAll" rule and reach the "AllowVNetInbound" rule. Do I understand that correctly?

I can imagine a few cases where you might want to deny all inbound traffic from the vNet, but I can't imagine why that would be considered a best practice. (I understand best practice to mean always do this unless there's a seriously compelling reason not to.) What am I missing here?

966

1 + 0

azure

network-security-group

Score:3

Server

Sam Cogan

10/17/22, 4:03 PM

The only real reason to do this is if you want to ensure that you are in complete control of the rules governing traffic flow, and not defaulting into using the built in rules. In the scenario you showed, intra-vnet traffic is not allowed, as the "AllowVnetInboundTraffic" rule is blocked. You would then need to explicitly define any rules you want to allow traffic between machines on the same (or peered) vNets, if you apply this rule to a subnet.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: In an Azure network security group, is denying all traffic before the "AllowVnetInbound" and "AllowAzureLoadBalancerInbound" rules good practice?

TH: ในกลุ่มความปลอดภัยเครือข่าย Azure ปฏิเสธการรับส่งข้อมูลทั้งหมดก่อนกฎ "AllowVnetInbound" และ "AllowAzureLoadBalancerInbound" หรือไม่

RO: Într-un grup de securitate de rețea Azure, refuzul întregului trafic înainte de regulile „AllowVnetInbound” și „AllowAzureLoadBalancerInbound” este o bună practică?

RU: В группе безопасности сети Azure рекомендуется ли запрещать весь трафик перед правилами «AllowVnetInbound» и «AllowAzureLoadBalancerInbound»?

VI: Trong nhóm bảo mật mạng Azure, việc từ chối tất cả lưu lượng truy cập trước các quy tắc "AllowVnetInbound" và "AllowAzureLoadBalancerInbound" có phải là phương pháp hay không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.