Azure NSG VirtualNetwork ServiceTag is allowing External IP addresses

Question

Azure NSG VirtualNetwork ServiceTag is allowing External IP addresses

Apurva Pathak 755

Hi folks,

I'm facing a weird scenario while testing an Azure NSG rule for an external IP.

I have an NSG with an outbound rule to allow traffic from VirtualNetwork to VirtualNetwork on Any port, Any protocol.

However, for some godly reasons, this rule appears to be allowing public IP connections. I validated this with Network Watcher NSG Diagnostics as well Connection Troubleshoot, both show the same results.

I even, tried running a traceroute from the OS, of the VM to which this NSG is applied to, and the traffic crossed the NGS.

Could anyone please help me understand this behavior. Is it an issue with NSG which I shall report to MS or am I missing something here.

PS: this IP is of m.facebook.com and certainly not hosted with us.

Name: star-mini.c10r.facebook.com

Addresses: 2a03:2880:f158:181:face:b00c:0:25de

157.240.214.35

Aliases: m.facebook.com

PFB snips of NSG rule and the test results.

NSG Rule: {564F72E9-9CB1-4524-BACC-5D5572972BC1} Diagnostics results: User's image

Thanks!

Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-23T12:36:03.43+00:00
Hello Apurva Pathak

I understand that your Azure NSG rule is behaving unexpectedly by allowing outbound traffic to a public IP, even though the rule is set to allow traffic only within VirtualNetwork. This is expected behavior under certain conditions, not a bug. Here are some possible explanations and troubleshooting steps:

The VirtualNetwork tag in NSG rules includes all subnets within the same virtual network, but it may also include peered networks or VPN connections. If your VM is using a VPN or ExpressRoute, traffic may be routed differently than expected.

If a custom route table is applied to the subnet, it may be redirecting traffic to the internet. Check Azure Route Tables to see if there is a 0.0.0.0/0 route forcing traffic out.

Azure NSGs have default outbound rules that allow traffic to the internet unless explicitly denied.

Check if there is an ALLOW INTERNET OUTBOUND rule that might be overriding your VirtualNetwork rule.

Your outbound rule likely only allows VirtualNetwork → VirtualNetwork, but the default NSG rule allows outbound Internet traffic.

So even though your custom rule doesn’t match, the traffic is still allowed by the default rule unless you’ve explicitly denied it.

Add an explicit deny rule before the default one to block all internet access except to internal VNets.

Could you please share the screenshot of Connection troubleshoot by clicking on see details.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Apurva Pathak 755 Reputation points

2025-05-23T13:33:06.45+00:00

Hi @Sindhuja Dasari,

Thanks for your response.

As explained in the original ask, the traffic is getting out via the Vnet-to-Vnet NSG rule and not the default one (snips are pasted in the question for reference).

Moreover, even if I have a route table added to the subnet, the NSG rule must work as configured else it poses a very severe risk.

Are these limitations, which you've outlined above, documented by MS, if yes, would you be kind enough to share that please.

Thanks
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-23T14:45:56.18+00:00

Hello Apurva Pathak

Thanks for your response.
I understand your concern about the security risk and have initiated a private message requesting some details. Could you please share the information so we can assist you further.
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-26T05:01:24.92+00:00

Hello Apurva Pathak
I've provided a thorough explanation in private message. Please review the details.
Apurva Pathak 755 Reputation points

2025-05-26T08:26:39.0033333+00:00

Thanks @Sindhuja Dasari,

Thanks, does explain this issue!

However, I really feel this behavior is deceiving and can cause security risks. Do we have any plans to fix this any near future?

Thanks

Accepted answer

0 additional answers

Your answer

Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-23T12:36:03.43+00:00

Hello Apurva Pathak

I understand that your Azure NSG rule is behaving unexpectedly by allowing outbound traffic to a public IP, even though the rule is set to allow traffic only within VirtualNetwork. This is expected behavior under certain conditions, not a bug. Here are some possible explanations and troubleshooting steps:

The VirtualNetwork tag in NSG rules includes all subnets within the same virtual network, but it may also include peered networks or VPN connections. If your VM is using a VPN or ExpressRoute, traffic may be routed differently than expected.

If a custom route table is applied to the subnet, it may be redirecting traffic to the internet. Check Azure Route Tables to see if there is a 0.0.0.0/0 route forcing traffic out.

Azure NSGs have default outbound rules that allow traffic to the internet unless explicitly denied.

Check if there is an ALLOW INTERNET OUTBOUND rule that might be overriding your VirtualNetwork rule.

Your outbound rule likely only allows VirtualNetwork → VirtualNetwork, but the default NSG rule allows outbound Internet traffic.

So even though your custom rule doesn’t match, the traffic is still allowed by the default rule unless you’ve explicitly denied it.

Add an explicit deny rule before the default one to block all internet access except to internal VNets.

Could you please share the screenshot of Connection troubleshoot by clicking on see details.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Apurva Pathak 755 Reputation points

2025-05-23T13:33:06.45+00:00

Hi @Sindhuja Dasari,

Thanks for your response.

As explained in the original ask, the traffic is getting out via the Vnet-to-Vnet NSG rule and not the default one (snips are pasted in the question for reference).

Moreover, even if I have a route table added to the subnet, the NSG rule must work as configured else it poses a very severe risk.

Are these limitations, which you've outlined above, documented by MS, if yes, would you be kind enough to share that please.

Thanks
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-23T14:45:56.18+00:00

Hello Apurva Pathak

Thanks for your response.
I understand your concern about the security risk and have initiated a private message requesting some details. Could you please share the information so we can assist you further.
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-26T05:01:24.92+00:00

Hello Apurva Pathak
I've provided a thorough explanation in private message. Please review the details.
Apurva Pathak 755 Reputation points

2025-05-26T08:26:39.0033333+00:00

Thanks @Sindhuja Dasari,

Thanks, does explain this issue!

However, I really feel this behavior is deceiving and can cause security risks. Do we have any plans to fix this any near future?

Thanks

Answer 1

Hello Apurva Pathak

Thanks for your response.

Yes, we do have a plan to introduce customer service tags aka IP groups, but this is still in design so no timelines to share yet.

Just summarizing our private message conversation here for community benefit.:

Since you are routing all the VM traffic from the spoke VNet to the Hub VNet where the virtual appliance is located, the traffic will traverse from the source VNet to the destination VNet via VNet peering. Therefore, the NSG outbound rules prioritize VNet-to-VNet traffic, allowing traffic from the source VM to the destination firewall as next hop.

When you add a UDR on your Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the VirtualNetwork service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 prefix value.

Refer https://learn.microsoft.com/en-us/answers/questions/1279843/issue-with-virtualnetwork-service-tag-when-using-u

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Azure NSG VirtualNetwork ServiceTag is allowing External IP addresses

0 additional answers

Your answer