Find answers, ask questions, and connect with our
community around the world.

Home Forums Azure NSG rules

  • NSG rules

     samabc updated 6 months ago 2 Members · 3 Posts
    Azure

  • samabc

    Member
    August 3, 2025 at 1:46 am

    > Your company has an Azure subscription that contains a virtual network with a subnet named TDSub1 and a virtual machine named TD1 with a public IP address and is configured to allow Remote Desktop Connections.TDSub1 is the subnet of TD1.

    > You created two network security groups named TDSG-TD1 attached to the network interface of TD1 and TDSG-TDSub1 attached to TDSub1.

    > You should modify the current custom rule of TDSG-TD1 by changing the ICMP protocol to TCP protocol or you can create a new inbound security rule in TDSG-TD1 that allows port 3389 traffic from the Internet using TCP protocol.

    I believe the above should read: You should modify the current custom rule of TDSG-TD1 by changing the ICMP protocol to TCP protocol and you must also create a new inbound security rule in TDSG-TDSub1 that allows port 3389 traffic from the Internet using TCP protocol.

  • Irene-TutorialsDojo

    Administrator
    August 4, 2025 at 12:54 pm

    Hi samabc,

    Thank you for your valuable feedback.

    We’ve carefully reviewed your suggestion in the context of the provided scenario. Accordingly, inbound traffic is first evaluated at the subnet-level NSG, and if allowed, it is then evaluated at the network interface-level (NIC) NSG.

    In this case, the subnet-level NSG (TDSG-TDSub1) already has an inbound rule that allows TCP traffic on port 3389, which is required for Remote Desktop Protocol (RDP). Therefore, no further changes are needed at the subnet level.

    The NIC-level NSG (TDSG-TD1), however, includes a custom rule that allows ICMP traffic on port 3389. Since RDP requires TCP, this rule does not permit proper connectivity. As such, TDSG-TD1 must be updated—either by modifying the existing rule to allow TCP or by creating a new rule that permits TCP traffic on port 3389.

    We truly appreciate your initiative in reviewing the content and helping us improve its accuracy. Please feel free to reach out if you have further questions or suggestions.

    Best,
    Irene @ Tutorials Dojo

    • samabc

      Member
      August 7, 2025 at 9:21 am

      > In this case, the subnet-level NSG (TDSG-TDSub1) already has an inbound rule that allows TCP traffic on port 3389,

      I don’t see that anywhere in the the question. The question says (copy/paste) :

      > TDSG-TDSub1 uses default inbound security rules whileTDSG-TD1 has the default inbound security rules with a custom rule

      If TDSG-TDSub1 is using default inbound security rules than it does not have an inbound rule that allows TCP traffic on port 3389.

      Regards,

      Sam

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content