SOLVED

Azure network rules - statefull firewall

%3CLINGO-SUB%20id%3D%22lingo-sub-145618%22%20slang%3D%22en-US%22%3EAzure%20network%20rules%20-%20statefull%20firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145618%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20so%20many%20different%20types%20of%20network%20rules%20in%20Azure.%20For%20example%20those%20defined%20for%20cloud%20services%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fazure%2Fgg557551.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fazure%2Fgg557551.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20network%20security%20groups%20for%20VM%20traffic.%3C%2FP%3E%0A%3CP%3EAre%20any%20of%20those%20statefull%20firewalls%20%3F%20Do%20we%20track%20TCP%20sessions%20%3F%20And%20accept%20return%20traffic%20by%20default%20%3F%3C%2FP%3E%0A%3CP%3EFor%20example%20inbound%20security%20rules%20in%20NSG%3A%20it%20looks%20like%20returning%20traffic%20is%20accepted%20by%20default%20%3F%20Assuming%20it's%20matching%20corresponding%20session%20(so%20we%20need%20to%20track%20TCP%20sessions).%20Are%20we%20statefull%20then%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-145618%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFirewall%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enetwork%20security%20groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-146994%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20network%20rules%20-%20statefull%20firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146994%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Michal%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20NSG%20rules%20are%20statefull%2C%20means%20if%20you%20allow%20inbound%20traffic%20the%20same%20outbound%20traffic%26nbsp%3B%20allowed%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello Team,

 

There are so many different types of network rules in Azure. For example those defined for cloud services:

https://msdn.microsoft.com/en-us/library/azure/gg557551.aspx

 

Or network security groups for VM traffic.

Are any of those statefull firewalls ? Do we track TCP sessions ? And accept return traffic by default ?

For example inbound security rules in NSG: it looks like returning traffic is accepted by default ? Assuming it's matching corresponding session (so we need to track TCP sessions). Are we statefull then ?

 

Thanks,

 

1 Reply
Highlighted
Best Response confirmed by Michal Garcarz (Occasional Contributor)
Solution

Hi Michal,

 

Azure NSG rules are statefull, means if you allow inbound traffic the same outbound traffic  allowed