Communication between 2 VMs in a Virtual Network on Azure

Question

. 。 Answers to this question are eligible for a +50 reputation bounty. StevenPF wants to to this question. 对这个问题的。

I have an access problem between two resources located in the same virtual network.

Concretely, I have a VM with an SQL instance on the SubNet "Data" inside the VNet "Common".

I have another VM with a Reporting Service instance on the "Front" SubNet, also inside the "Common" VNet.

The two VMs are therefore under the same VNet but under two different SubNets.

When I try to connect to the SQL database from the Reporting instance, I get an error message telling me that it cannot be accessed.

I solved the problem by adding, by hand, a rule in the NSG of my SubNet "Data" to allow communications from the IP of the "Reporting" VM on the SQL port.

And as soon as I do that, it works. I can connect to the SQL database which is on the SubNet "Data" from the Reporting of the SubNet "Front".

But what I don't understand is that my SubNet "Data" already contains an inbound rule on its NSG that allows all inbound connections (on all ports) if the call is from the virtual network. It is a rule present by default (called AllowVnetInBound).

Normally, I shouldn't have to add a specific rule for my VM Reporting. Especially since my VM has a dynamic IP, so this solution is not viable.

What am I missing?

Why the rule "AllowVnetInBound" which takes as source "VirtualNetwork" not enough?

Edit : This is the NSG inbound rules for "Data" SubNet. I have outlined in green the rule that I must add for the communication to work. Without this rule, communication does not work.

Answer 1

Is there any other custom lower priority rules above the default "AllowVnetInbound" rule?

This kind of scenario typically happens when you have added a lower priority custom rule on top of the default rule (like "AllowVnetInbound"), which logically would be blocking the default rule.

If this does not answer your question, please share a screenshot of the NSG rules in the earlier state before you set up the custom rule manually.

If this answers your questions, please mark the explanation as accepted.

Answer 2

subnets within one virtual network can communicate with each other without any extra configuration

Answer 3

By default, the VM in subnet "Data" should be able to communicate to the VM in subnet "Front" as both the subnets are in the same Virtual Network. We do not need to create any additional inbound or outbound rules Sometimes, even though the VMs are in same virtual network, they might not be able to communicate to each other because of the firewall settings inside the VMs

So, the firewall needs to be turned off inside both the VMs so that both the VMs will be able to communicate to each other

Once the firewall inside both the VMs is turned off, you would be able to connect to the SQL database from the Reporting Instance