Removing Inbound port rule in NSG not blocking traffic

%3CLINGO-SUB%20id%3D%22lingo-sub-1478552%22%20slang%3D%22en-US%22%3ERemoving%20Inbound%20port%20rule%20in%20NSG%20not%20blocking%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1478552%22%20slang%3D%22en-US%22%3E%3CP%3EPlaying%20with%20JIT%20access%20to%20a%20Windows%20VM%20I%20wanted%20to%20close%20external%20RDP%20access%20prior%20to%20JIT%20time%20range%20expiration.%3C%2FP%3E%3CP%3EAs%20there%20does%20not%20seem%20to%20be%20a%20suitable%20command%20I%20tried%20removing%20the%20JIT-generated%203389%20allow%20rule%20from%20the%20NSG%26nbsp%3B%3CSPAN%3Eassociated%20to%20both%20NIC%20and%20subnet%20.%20While%20that%20seemed%20to%20succeed%20with%20the%203389%20deny%20rule%20now%20taking%20precedence%20over%20the%20default%20rules%20as%20per%20the%20attached%20screenshot%2C%20my%20external%20RDP%20connection%20to%20the%20VM%20kept%20working%20without%20a%20hitch.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20what%20I%20might%20be%20missing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1478552%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479521%22%20slang%3D%22en-US%22%3ERe%3A%20Removing%20Inbound%20port%20rule%20in%20NSG%20not%20blocking%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479521%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F705452%22%20target%3D%22_blank%22%3E%40STTHV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ean%20already%20established%20RDP%20connection%20to%20a%20VM%20will%20not%20be%20impacted%20by%20removing%20an%20Allow%20rule%20or%20creating%20a%20Deny%20rule.%26nbsp%3BAs%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fsecurity-overview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Estated%20in%20the%20documentation%3C%2FA%3E%2C%20t%3CSPAN%3Eraffic%20flows%20are%20interrupted%20when%20connections%20are%20stopped%20and%20no%20traffic%20is%20flowing%20in%20either%20direction%2C%20for%20at%20least%20a%20few%20minutes.%20If%20you%20tried%20to%20open%20a%20new%20RDP%20connection%20with%20the%20Deny%20rule%20in%20place%2C%20that%20connection%20would%20normally%20be%20blocked.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480571%22%20slang%3D%22en-US%22%3ERe%3A%20Removing%20Inbound%20port%20rule%20in%20NSG%20not%20blocking%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480571%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esadly%20I%20must%20have%20missed%20that%20part%20in%20the%20documentation%2C%20thanks%20for%20pointing%20it%20out%20to%20me!%26nbsp%3B%20Do%20you%20see%20another%20option%20to%20lock%20out%20an%20an%20administrative%20access%20with%20immediate%20effect%2C%20ie.%20without%20waiting%20for%20the%20set%20JIT%20window%20to%20expire%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480767%22%20slang%3D%22en-US%22%3ERe%3A%20Removing%20Inbound%20port%20rule%20in%20NSG%20not%20blocking%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F705452%22%20target%3D%22_blank%22%3E%40STTHV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewhat%20you%20want%20to%20accomplish%20can%20be%20done%20from%20within%20the%20OS.%20For%20example%2C%20you%20could%20trigger%20an%20automated%20that%20would%20forcefully%20logoff%20all%20active%20sessions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20option%20could%20also%20be%20using%20JIT%20integrated%20with%20Azure%20Firewall.%20Unlike%20NSGs%2C%20Azure%20Firewall%20drops%20existing%20sessions%20impacted%20by%20rule%20changes.%20More%20details%20-ERR%3AREF-NOT-FOUND-here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494482%22%20slang%3D%22en-US%22%3ERe%3A%20Removing%20Inbound%20port%20rule%20in%20NSG%20not%20blocking%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494482%22%20slang%3D%22en-US%22%3Egreat%2C%20thanks%20for%20the%20hint%20to%20use%20JIT%20with%20the%20firewall!%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Playing with JIT access to a Windows VM I wanted to close external RDP access prior to JIT time range expiration.

As there does not seem to be a suitable command I tried removing the JIT-generated 3389 allow rule from the NSG associated to both NIC and subnet . While that seemed to succeed with the 3389 deny rule now taking precedence over the default rules as per the attached screenshot, my external RDP connection to the VM kept working without a hitch.

 

Any idea what I might be missing?

 

4 Replies
Highlighted

@STTHV 

 

an already established RDP connection to a VM will not be impacted by removing an Allow rule or creating a Deny rule. As stated in the documentation, traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes. If you tried to open a new RDP connection with the Deny rule in place, that connection would normally be blocked.

Highlighted

@hspinto 

 

sadly I must have missed that part in the documentation, thanks for pointing it out to me!  Do you see another option to lock out an an administrative access with immediate effect, ie. without waiting for the set JIT window to expire?

@STTHV 

 

what you want to accomplish can be done from within the OS. For example, you could trigger an automated that would forcefully logoff all active sessions.

 

Another option could also be using JIT integrated with Azure Firewall. Unlike NSGs, Azure Firewall drops existing sessions impacted by rule changes. More details here.

Highlighted
great, thanks for the hint to use JIT with the firewall!