Cannot access my services after upgrade from basic to standard load balancer via PowerShell

Question

Cannot access my services after upgrade from basic to standard load balancer via PowerShell

Nick Beaugié 20

I was notified that I had to upgrade my Load Balancer from Basic to Standard.

But now I cannot connect to any of my websites running there - and I can't connect to RDP either.

I ran the script shown here.

https://learn.microsoft.com/en-gb/azure/load-balancer/upgrade-basic-standard-with-powershell

Just one command needed

Start-AzBasicLoadBalancerUpgrade -ResourceGroupName TheSquadWebSer-Migrated -BasicLoadBalancerName TheSquadWebSer-PublicLoadBalancer

And it reports as being successful.

However, now my services don't work. I run a small charity and now our supporters cannot visit our website.

Nick Beaugié 20 Reputation points

2025-07-22T18:38:41.37+00:00

I tried to raise a support call so that a Microsoft engineer with knowledge could connect to my subscription and possibly help me. However, it sends me here instead.

To be clear - all was working properly before this PowerShell upgrade, which is supposed to be a supported path.

Accepted answer

0 additional answers

Your answer

Nick Beaugié 20 Reputation points

2025-07-22T18:38:41.37+00:00

I tried to raise a support call so that a Microsoft engineer with knowledge could connect to my subscription and possibly help me. However, it sends me here instead.

To be clear - all was working properly before this PowerShell upgrade, which is supposed to be a supported path.

Answer 1

Pradeep Kommaraju 785 Microsoft Employee

Hello Nick ,

Thanks for reaching pout to Microsoft Q and A Forum,

Standard Load Balancers are secure by default:

All inbound and outbound traffic is denied unless explicitly allowed via Network Security Groups (NSGs).
Unlike Basic Load Balancers, Standard ones do not allow traffic automatically.

Steps to Fix It

Check and Update NSGs

Go to the Network Security Group associated with:
- The subnet or
  - The NIC of your VMs
  - Ensure inbound rules exist for:
    - TCP 80/443 (for websites)
      - TCP 3389 (for RDP)
      - Also ensure outbound rules allow internet access if needed.

Verify Load Balancer Rules

Go to the Standard Load Balancer in the Azure Portal.
Check:
- Frontend IP configuration (should be Standard SKU and static)
  - Load balancing rules (for web traffic)
    - Inbound NAT rules (for RDP access to individual VMs)

Health Probes

Ensure health probes are correctly configured and that your VMs are responding to them.
If probes fail, the Load Balancer will not forward traffic to those VMs.

Public IP Configuration

If your VMs had instance-level public IPs, they may have changed or been removed during the upgrade.
You may need to:
- Reassign static public IPs
  - Or use NAT rules on the Load Balancer for access

References

[1] Troubleshoot common problems with Azure Load Balancer

[2] AzLoadBalancerMigration/AzureBasicLoadBalancerUpgrade/README.md at main ...

I hope these steps really helped you with the resolution if so, please do accept the answer,
if not do get back to us with more questions.

Nick Beaugié 20 Reputation points

2025-07-22T18:49:13.8633333+00:00

I'm afraid I don't fully understand all the steps you describe.

In the Portal, I first browse to show my Virtual Machine.

Then, I click Networking / Network settings

Then, I click on that big link for the Network interface / IP configuration

And finally on Network Security Group. Where I see this - saying "None"
Pradeep Kommaraju 785 Reputation points Microsoft Employee

2025-07-22T18:58:47.8966667+00:00
It looks like your VM's Network Interface (NIC) has no firewall rules applied, as indicated by the Network Security Group (NSG) showing "None".

However, your VM might still be blocked due to:

An NSG attached to the Subnet (common in Standard Load Balancer scenarios).

The Standard Load Balancer's default security settings requiring NSG rules at either the Subnet or NIC level to allow traffic.

To resolve this issue, follow these steps:

Check the Subnet NSG:

Navigate to your Virtual Network (VNet) → Subnets.

Locate the subnet where your VM is situated.

Check if an NSG is attached to the subnet.

If yes, click on that NSG and add the needed Inbound Rules (RDP, HTTP, HTTPS).

If no NSG is attached at the subnet level, you'll need to attach one.

Attach an NSG if None Exists:

Option A: Attach to NIC (Simpler, VM-specific)

Go to your VM → Networking → Network Interface → Network Security Group → Associate.

Create or select an existing NSG.

Option B: Attach to Subnet (Affects all VMs in that subnet)

Navigate to Virtual Network → Subnets → Select your subnet → Associate NSG.

Choose or create an NSG.

Add Required Inbound Rules:

Once the NSG is attached (either to NIC or Subnet), add rules for Port 3389 (RDP), 80 (HTTP), and 443 (HTTPS).

This is essential because Standard Load Balancers block all inbound traffic by default. Without an NSG explicitly allowing traffic, your VM will remain unreachable.

Thanks
Nick Beaugié 20 Reputation points

2025-07-22T19:33:13.17+00:00

Sorry, I'm still struggling here and I can't follow all of your instructions exactly. Here is what I have:

Under my Virtual Network / Settings / Subnets, I see this.

Indeed, there is no NSG associated with Subnet-1.

Trying Option A

I go to the VM, but I don't see "Network Interface" as an option, I see "Network Settings". But in the centre here, I do see a "Network interface / IP configuration".

I click on this one. And then, under settings, I see "Network security group".

...but I don't see any option to "Associate".

Trying Option B

Refer to the first screenshot on this post.

I click to select Subnet-1, but I don't see the word "associate" anywhere on the UI.
Pradeep Kommaraju 785 Reputation points Microsoft Employee

2025-07-22T20:20:21.7+00:00
You will have to explicitly create the NSG Rules to be able to associate it with either of subnet or VM NIC , please follow these steps:

Attach an NSG and Allow Required Ports You can do this in two ways:

Option 1 – Attach NSG to the VM (NIC level)

(Recommended if only 1 VM needs access)

Create an NSG

In the Azure Portal, search “Network security groups” → +Create.

Name it (e.g., My-VM-NSG) and click Review + Create → Create.

Attach NSG to the VM

Go to your VM → Networking (or Network Settings).

Click the Network Interface / IP configuration link in the center.

Click Network security group → select your new NSG → Save.

Add Inbound Rules to the NSG

Go to Network security groups → Your NSG → Inbound security rules → +Add:
- __RDP__: TCP, Port 3389, Allow, Priority 100 - __HTTP__: TCP, Port 80, Allow, Priority 110 - __HTTPS__: TCP, Port 443, Allow, Priority 120

Option 2 – Attach NSG to the Subnet (Subnet level)

(Recommended if multiple VMs in the subnet need the same rules)

Create an NSG (same steps as above, e.g., My-Subnet-NSG).

Attach NSG to the Subnet

Go to your Virtual Network → Subnets.

Click the subnet where your VM is running (e.g., Subnet-1).

Under Network security group, select your NSG → Save.

Add Inbound Rules

Same rules as above (RDP, HTTP, HTTPS).

Step 3 – Test

Try RDP to your VM (mstsc → Public IP) and open your website in a browser.

✅ Summary

NIC-level NSG = only affects one VM.

Subnet-level NSG = affects all VMs in that subnet.

Without these NSG rules, the Standard Load Balancer will continue blocking inbound connections.
Nick Beaugié 20 Reputation points

2025-07-22T20:47:23.3766667+00:00

Pradeep - thank you so much!

I have now got it working and have verified that RDP works, along with my HTTPS websites. I chose Option 1 as I have only one VM behind the LB.

One thing to note though. My RDP rule has a warning against it.

The warning message is

`RDP port 3389 is exposed to the Internet. This is only recommended for testing. For production environments, we recommend using a VPN or private connection.

Save`
Nick Beaugié 20 Reputation points

2025-07-22T20:55:23.9133333+00:00

Pradeep. Thank you very much!

I chose Option 1 as I only have one VM behind the LB. I have tested now with RDP and HTTPS and all works again.

Just to note though, I get an warning message with the RDP rule.

The error message is

RDP port 3389 is exposed to the Internet. This is only recommended for testing. For production environments, we recommend using a VPN or private connection.
Pradeep Kommaraju 785 Reputation points Microsoft Employee

2025-07-22T21:04:06.97+00:00
The warning you received isn’t an error but a security recommendation from Azure.

What It Means:

You have opened RDP (3389) to the entire internet (Source: Any).

Can You Ignore It?

For quick testing or temporary fixes: Yes, you can ignore it temporarily.

For production or long-term use: You should take action to secure it.

Best Practices (What You Should Do):

Restrict the Source IP:

Edit your NSG RDP rule and change the Source from Any to Your Public IP (you can find it at whatismyip.com). This way, only you can RDP into the VM.

Use Just-in-Time (JIT) VM Access (Better for production):

Available in Microsoft Defender for Cloud, JIT VM Access opens port 3389 only when requested and only for your IP.

Use VPN or Bastion (Most Secure – Production):

Deploy Azure Bastion or set up a VPN to avoid exposing RDP publicly.

I’m glad to hear that your issue has been resolved. Please consider accepting the answer to assist others who may face similar issues.
Nick Beaugié 20 Reputation points

2025-07-23T09:22:04.1833333+00:00

Thank you very much, Pradeep. I will use one of those approaches.

Share via

Cannot access my services after upgrade from basic to standard load balancer via PowerShell

0 additional answers

Your answer