I have an Azure standard public load balancer with a few web server VMs behind it. I also need the VMs to have an individual public static IP each (not load balanced) for management stuff, so I've added a public IP to the NIC of each VM. A Network Security Group sits on the VM subnet to control access.
My setup functions, but there are a couple of issues.
To get load balanced traffic to nginx on the VMs I (seemingly) needed to add a NSG rule allowing "Internet" access to the ports nginx is listening on (7080,7443) with destination the Application Security Group the VMs are part of. This however also opens the ports to the internet on the public IP addresses, which I don't really want.
Is the access rule correct?
Is there a way to control access on the public IPs, at least so that you can't connect to nginx except via the ALB?
Best Answer
Yes, it's correct, you need to open these ports nginx is listening on if you want load balanced traffic to nginx on the VMs.
Unfortunately, it's impossible to do control access only for ALB by NSG. Generally you can use NSG to filter the network traffic for a subnet or NIC level by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. In this case, whatever you access the backend VMs via ALB or individual public IP addresses. For every inbound rule, you have the same ports, destination, protocol.
Ref: Azure Network Security Groups (NSG) – Best Practices and Lessons Learned