Azure VNets: "Evaluation Order" of NSGs and UDRs

Question

We're building a Hub & Spoke.network in Azure with NSGs at the spoke.network's su.nets. Now we'd like to allow a workload in one of the spokes to make outbound connections to a destination on the inte.net (TCP, 443). The traffic shall be sent though an NVA in the hub.network.

The UDR of the spoke's su.net is configured like this:

Address Prefix: 0.0.0.0/0, Next Hop Type: Virtual Appliance, Next Hop: <IP of Firewall>

How do we need to configure the NSG's outbound rules in this particular scenario?

a) Allow, Source: Virtual Network, Destination: Virtual Network

b) Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>

c) Allow, Source: Virtual Network, Destination: Any

IMO a) and b) would mean, that the UDR is "evaluated" first, while option c) would mean, that the NSG is applied before the routing takes place.

I very much appreciate you're help and/or links to some documentation on this topic I wasn't able to find so far.

Answer 1

• According to what you have asked with regards to the priority of consideration by Azure Network Resource Management fabric and its design by default, the first priority will be given to the UDR (User Defined Rule) in which the source and destination IP addresses are correctly defined between the virtual.networks even if a.network virtual appliance is used for forwarding the traffic in between them because when a virtual.network is created, Azure automatically routes for every su.net defined during its creation. Thus, when routes are created, the first and priority routes are created and implemented for address ranges that are defined address spaces within the same virtual.network, hence implying that by design, the default evaluation priority is given to those UDR if their priority is not set by the user whose source and destination reachable valid IP addresses are correctly defined . Please refer to the below workflow diagram for good understanding: -

• Thus, as per your post, you have asked the evaluation priority for the below UDRs: -

  a)    Allow, Source: Virtual Network, Destination: Virtual Network

  b)    Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>

  c)    Allow, Source: Virtual Network, Destination: Any

Of the above, the second (b) formatted UDR will be evaluated as 'first' in priority, then the first UDR (a) in priority and then the **third (c)**UDR as it is defined for any IP address originating from the virtual.network without any defined destination.

• Hence, accordingly, you should go with creating the UDRs in the second (b) format as it will get by default prioritized and 'evaluated' correctly by Azure. For more information regarding this topic, kindly refer to the documentation link below: -

https://learn.microsoft.com/en-us/azure/virtual.network/virtual.networks-udr-overview#default

http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice