Network Security Groups in Azure — The Fundamentals , Which Direction to Apply Rules, What would source and target ports be, Does return reply traffic need to be explicitly permitted(2/3) ?

Clients on Internet trying to access a web page hosted by Azure Virtual Machine

A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record.

The flow record allows a network security group to be stateful.

If you specify an outbound security rule to any address over port 80, for example, it’s not necessary to specify an inbound security rule for the response to the outbound traffic.

You only need to specify an inbound security rule if communication is initiated externally.

The opposite is also true. If inbound traffic is allowed over a port, it’s not necessary to specify an outbound security rule to respond to traffic over the port.

NSG Rule for Allowing HTTPS traffic to work

When a client connects to a server (Linux or windows server for example, in cloud), a random port from the ephemeral port range (1024–65535) becomes the client’s source port.

The designated ephemeral port becomes the destination port for return traffic from the service.

The server always listens for incoming traffic on fixed ports:

22 for SSH, 80/443 for HTTP or HTTPS ,3389 for RDP

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store