Home › Forums › Azure › AZ-104 Microsoft Azure Administrator › Question on Azure Network Watcher Connection Troubleshoot port 443, TDNSG1
-
Question on Azure Network Watcher Connection Troubleshoot port 443, TDNSG1
Neil-TutorialsDojo updated 3 weeks, 3 days ago 2 Members · 2 Posts -
Hi,
Happy to say that I passed my final exam with 96% but this question irks me. I realise that the two VMs are in the same VNet and so can communicate unless a NSG specifically blocks them, so it must be the Windows Firewall on TD2 that is only configured to allow ICMP traffic that must be blocking port 443, however… The rules are as follows:
Priority – Source – Destination – Protocol – Port – Action
300 – 10.0.1.0/24 – 10.0.2.0/24 – TCP – Any – Allow
310 – Any – 10.0.2.0/24 – TCP – Any – Deny
Since TD1 is in Subnet1 which is 10.0.1.0/24 and TD2 is in Subnet2 which is 10.0.2.0/24 and the priority 300 rule allows TCP traffic from Subnet1 to Subnet2, there is no specific way to infer that TDNSG1 is connected to TD2. If it was, HTTPS traffic would pass TCP port 443 from TD1 to TD2 just the same as if it wasn’t connected and the VNet was just passing traffic. Therefore it might be connected or might not be. The question is just a wild guess, and totally unfair.
Unless I missed something, in which would someone please enlighten me, as I would like to know what it was if so.
Thanks!
-
Hello Jay.Tee,
Good day!
Congratulations on achieving a remarkable score of 96% on your final exam! We appreciate your detailed feedback and understand the concern regarding the NSG rules and their impact on connectivity.
You are correct in noting that Rule 300, with a higher priority (lower number), allows TCP traffic from subnet 10.0.1.0/24 (TD1) to subnet 10.0.2.0/24 (TD2). Rule 310, with a lower priority, denies TCP traffic to 10.0.2.0/24. However, since Rule 300 permits this traffic, it should indeed allow TCP traffic, including port 443 (HTTPS), between TD1 and TD2.
Given the scenario, despite Rule 300 allowing TCP traffic from TD1 to TD2, the connection was still unreachable. This might be due to outbound rules or other factors not provided in the scenario.
We apologize for any confusion caused by this question. We will review it further to ensure clarity and accuracy. Thank you for your patience and for helping us improve the quality of our content.
Best regards,
Neil @ Tutorials Dojo
Log in to reply.