Block Internet Access on Azure VM using NSG (Network Security Group)
In this short post, we will look at a quick way to Block Outbound Internet traffic for an Azure VM or Subnet. To restrict your users from accessing the internet and potentially accessing harmful sites.
To get started we need to create a new Network Security Group > Type Network Security Group in the Azure search bar. Select Network Security Group.
To create a new network Security Group, click on the +Create.
Select your subscription and Resource Group, then provide a name for your NSG and region. One that is done. Click on “Review and Create”
Now that we have a new NSG created, Lets go to Outbound Rules and lock down Internet Access for this NSG. Click on + Add to create a new Outbound rule.
Specify your Source: Any
Source Port: *
Destination: Here you select “Service Tag”
Destination Service tag: Internet
Service: HTTP
Protocol: TCP
Next, we need to specify if the rule is allow or block and the provide the rule with a Name and Description. Click on Add to complete the rule and make it active.
Perform the same action for HTTPS as well.
Source: Any
Source Port Range: *
Destination: Service Tag
Destination Service Tag: Internet
Service: HTTPS
Destination Port Range: 443
Protocol: TCP
Lastly, specify the Block and then provide a name for the rule with a description and click add.
Let’s, go ahead and assign this new Network Security Group to our Subnet where we have the Azure Virtual Machines running.
On the NSG (Network Security Group), navigate the settings and the click on Subnets.
On the Subnets settings page, click on Associate
Select your subnet which you would like to associate with the newly created Network Security Rule and then click Ok.
Your new NSG will be associated with your existing VNET and Subnets.
Now that we have our NSG associated with our Subnet, Lets go ahead and test the connection on our Azure VM.
Open a browser on your vm and enter your favorite website. I’ll go for www.thatlazyadmin.com
As you can see from the browser results, the website can’t be reached.
You can also use the Connection Troubleshooting tool which you can find Under Support + troubleshooting section of the Virtual Machine.
From the Connection Troubleshoot page, select Outbound Connection > The Connection Destination “Service Tag *”, Service Tag “Internet” On the Destination Port section, Select HTTP and Protocol TCP.
Once done click on Test Connection to test if your virtual machine can reach outside.
Test Connection will show the following results, that the port is blocked by using a Security rule created by a user.
Hope this helps some who wants to create some control in their environment.
#HappyBlocking Internet 😊
Thanks for sharing, This is an excellent article.
Just a question, Can you alsos select custom and poirt 80,443 rather than Internet?
One rule rather than two?