@ivanignatiev
Thanks for your feedback! We will investigate and update as appropriate.

@ivanignatiev
Thanks for your feedback! We will investigate and update as appropriate.

@ivanignatiev how NSGs evaluate rules is described Here. for 2 VMs in the same subnet, the subnet NSG is evaluated first, then the outbound NICs NSG is next, and last is the inbound NICs NSG.

Please let me know if you need any additional information.

@TravisCragg-MSFT Current example presented in documentation is based on the case VM <-> Internet. If possible to add few examples (or extend the current one) with internal to VNet communications VM <-> VM, i.e. :

• VM1 and VM2 in Subnet 1 with NSG1 applied to Subnet1
• VM1 in Subnet1 and VM2 in Subnet2, with NSG1 applied to Subnet1 and NSG2 applied to Subnet2

And/or say in the documentation explicitly that NSG associated with Subnet always controls traffic even if VMs are in the same Subnet, because often people imagine NSG as a firewall so when we say that NSG at Subnet level can block/allow traffic inside the Subnet - everybody has impression that traffic goes out of Subnet and returns back each time.

So, I propose to clarify those points in the documentation.

Thank you!

@ivanignatiev Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

@TravisCragg-MSFT thank you ! I will appreciate also some examples with Internal Load Balancers and NSG at Subnet and NIC levels.

I too would like to reinforce the need to document the "east-west" behaviour of NSG's as described by ivanignatiev on Dec 18th 2018. The "How Traffic Is Evaluated" section only covers North-South traffic, and for completeness should cover east-west traffic for VM1<->VM2 and maybe even VM1<->VM3.
Thanks.. JD

@KumudD @malopMSFT This issue was owned by Jim Dial, Assigning you two as you are now the current owner.

Any update on this? I agree with OP - it's not too obvious from any of the MS Azure docco what happens you add a deny 'any source' to 'any destination' on a subnet level NSG as an explicit over-ride rule for example. In this case it actually blocks traffic between VMs in the same subnet unless you explicitly open the required ports to allow intra subnet communication

I am very glad I found this thread, I was having the exact same confusion and also not realizing NSGs applied to East-West traffic in the same subnet. I hope this documentation is updated soon!

More confusion! The Cloud Adoption Framework guide specifically says that NSGs do NOT block East West traffic inside of a subnet. I've submitted a request on that page, but I would say it's pretty urgent that the Microsoft docs AGREE with each other.

Link and copy of confusing language below:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-networking#best-practice-secure-northsouth-and-eastwest-traffic

Best practice: Secure north/south and east/west traffic
When securing VNets, it's important to consider attack vectors.
Using only subnet NSGs simplifies your environment, but only secures traffic into your subnet. This is known as north/south traffic.
Traffic between VMs on the same subnet is known as east/west traffic.
It's important to use both forms of protection, so that if a hacker gains access from the outside they'll be stopped when trying to attach machines located in the same subnet.

@cmcapellan I ended up logging a Premier support request and have had confirmation from MS support that a subnet level NSG rule is essentially applied to the NIC of each VM on that subnet.
I don't understand why they can't explicitly just call this out in the documentation - all their digrams only show north/south traffic flows... should be pretty easy to update this doc with a simple diagram and explanation rather than have their customers figure it out the hard way...

This discussion adds to my confusion, because I always assumed traffic between VMs in a single subnet is always allowed due to the default rules (those with prio 65000). Now I think about no rules being applied from the NSG associated with the subnet at all (only those associated with the NICs, if any) - versus rules are being applied (but the 65000 rules allow the traffic unless explicitly denied by a higher priority rule)

This doc issue has been addressed.

please-close