Skip to content

Block Internet Access on Azure VM using NSG (Network Security Group)

Block Internet Access on Azure VM using NSG (Network Security Group)

In this short post, we will look at a quick way to Block Outbound Internet traffic for an Azure VM or Subnet. To restrict your users from accessing the internet and potentially accessing harmful sites.

To get started we need to create a new Network Security Group > Type Network Security Group in the Azure search bar. Select Network Security Group.

Graphical user interface, text, application, chat or text message

Description automatically generated

To create a new network Security Group, click on the +Create.

Select your subscription and Resource Group, then provide a name for your NSG and region. One that is done. Click on “Review and Create

Graphical user interface, text, application, email

Description automatically generated

Now that we have a new NSG created, Lets go to Outbound Rules and lock down Internet Access for this NSG. Click on + Add to create a new Outbound rule.

Text

Description automatically generated with low confidence

Specify your Source: Any

Source Port: *

Destination: Here you select “Service Tag

Destination Service tag: Internet

Service: HTTP

Protocol: TCP

Graphical user interface, text, application, email

Description automatically generated

Next, we need to specify if the rule is allow or block and the provide the rule with a Name and Description. Click on Add to complete the rule and make it active.

Graphical user interface, application

Description automatically generated

Perform the same action for HTTPS as well.

Source: Any

Source Port Range: *

Destination: Service Tag

Destination Service Tag: Internet

Service: HTTPS

Destination Port Range: 443

Protocol: TCP

Graphical user interface, text, application, email

Description automatically generated

Lastly, specify the Block and then provide a name for the rule with a description and click add.

Graphical user interface, text, application, email

Description automatically generated

Let’s, go ahead and assign this new Network Security Group to our Subnet where we have the Azure Virtual Machines running.

On the NSG (Network Security Group), navigate the settings and the click on Subnets.

Graphical user interface, application

Description automatically generated

On the Subnets settings page, click on Associate

Graphical user interface, text, application, email

Description automatically generated

Select your subnet which you would like to associate with the newly created Network Security Rule and then click Ok.

Graphical user interface, application, email

Description automatically generated

Your new NSG will be associated with your existing VNET and Subnets.

Graphical user interface, text, application, email

Description automatically generated

Now that we have our NSG associated with our Subnet, Lets go ahead and test the connection on our Azure VM.

Open a browser on your vm and enter your favorite website. I’ll go for www.thatlazyadmin.com

Graphical user interface, text, application, email

Description automatically generated

As you can see from the browser results, the website can’t be reached.

You can also use the Connection Troubleshooting tool which you can find Under Support + troubleshooting section of the Virtual Machine.

Graphical user interface, application

Description automatically generated

From the Connection Troubleshoot page, select Outbound Connection > The Connection Destination “Service Tag *”, Service TagInternet” On the Destination Port section, Select HTTP and Protocol TCP.

Graphical user interface, text, application

Description automatically generated

Once done click on Test Connection to test if your virtual machine can reach outside.

Test Connection will show the following results, that the port is blocked by using a Security rule created by a user.

Graphical user interface

Description automatically generated with medium confidence

Hope this helps some who wants to create some control in their environment.

#HappyBlocking Internet 😊

Sharing is caring!

Published inAzureAzure VM

One Comment

  1. james james

    Thanks for sharing, This is an excellent article.

    Just a question, Can you alsos select custom and poirt 80,443 rather than Internet?

    One rule rather than two?

Leave a Reply

Your email address will not be published.