We are currently facing an issue with the connectivity of our Azure VMs, specifically related to Internet access. Despite implementing NSG rules and creating exceptions for specific VMs, we are encountering difficulties in establishing Internet connections.
Here is a brief overview of our setup:
We are a small fintech company utilizing Azure services. Our network follows the Hub and Spoke method inspired by the Azure Cloud Adoption framework, with three subscriptions. We have a functioning Azure Firewall and Sentinel in place. VM onboarding is done through the portal and Azure Site Recovery Failover, resulting in 35 online VMs. Our domain controller, hosted on Azure under an identity subscription, communicates with both Azure VMs and the internal network in our offices. The specific issue revolves around NSG rules and Internet access exceptions. We have meticulously created inbound and outbound rules for SQL, ICMP, RDP, and SSH, with an exception for Internet access. However, despite these configurations working initially, we have experienced disruptions recently.
Efforts made to resolve the issue:
We created a test PC on Azure to analyze and troubleshoot NSG rules, encountering the same connectivity issue.
An Application Security Group (ASG) was established for Internet access testing, with the test PC placed on it. Despite allowing Internet access, the test PC remains unable to connect, showing an "Access Denied" message, with the "DenyAllInBound" rule taking precedence.
Attached to this email, you will find an image illustrating our NSG rules and ASG setup.
