Using Network Security Groups with Internal Load Balancer

Q. I have created a Network Security Group and applied to a subnet in my Azure Virtual Network however the Azure Internal Load Balancer can no longer probe the VMs. Why?

A. Network Security Groups (NSG) contain a number of inbound and outbound rules and can be applied to either a VM or a virtual subnet. It is important to understand what actually happens when a NSG is applied to a virtual subnet. What is actually happening is that the NSG is applied to each VM that is connected to the virtual subnet and is not an "edge firewall" running on the interface of the virtual subnet itself. This can be thought of as similar to how Group Policy is applied when linked to an Organizational Unit. The Group Policy Object is not actually applied to the OU but instead applied to the objects within the OU. This is an important concept to understand. If you have an Internal Load Balancer that is probing a port you may expect it to just work since its within the same virtual subnet as the VMs. But because the rules are enforced on the actual VMs within the virtual subnet the traffic from the Internal Load Balancer is inspected against the rules in the applied NSG and if the Internal Load Balancer is not allowed then it will be unable to probe the required port.

By default, the Internal Load Balancer has an allow rule for inbound communication in NSGs as documented at https://msdn.microsoft.com/en-us/library/azure/dn848316.aspx which uses the special AZURE_LOADBALANCER tag. If you have configured your own rules you need to ensure you have an inbound allow rule for AZURE_LOADBALANCER and either all destination ports or the port it uses to probe. This allow rule would need to be before (with a higher priority) than any deny rules.