AzureDebug / FixBeginner · 4 min read

How to Fix NSG Blocking Traffic in Azure: Simple Steps

To fix NSG blocking traffic in Azure, check the NSG inbound and outbound rules for any deny rules or missing allow rules for your traffic. Update the rules to allow the required ports and IP addresses, then apply the changes to your network interface or subnet.

🔍

Why This Happens

Network Security Groups (NSGs) control traffic to and from Azure resources by allowing or denying traffic based on rules. If traffic is blocked, it usually means there is a deny rule or a missing allow rule for the specific port, protocol, or IP address. This causes your application or service to not receive or send traffic as expected.

hcl

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  security_rule {
    name                       = "DenyAllInbound"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Deny"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Output

All inbound traffic is denied due to the 'DenyAllInbound' rule with priority 100.

🔧

The Fix

To fix the blocking, remove or lower the priority of the deny rule and add an allow rule for the required traffic. For example, allow inbound traffic on port 80 for HTTP. This change lets the traffic pass through the NSG to your resource.

hcl

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  security_rule {
    name                       = "AllowHTTPInbound"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "DenyAllOtherInbound"
    priority                   = 200
    direction                  = "Inbound"
    access                     = "Deny"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Output

Inbound HTTP traffic on port 80 is allowed; all other inbound traffic is denied.

🛡️

Prevention

Always plan your NSG rules carefully by defining explicit allow rules for needed traffic before applying deny rules. Use descriptive names and proper priorities to avoid accidental blocking. Test connectivity after changes and use Azure Network Watcher to diagnose traffic flow issues.

⚠️

Related Errors

Other common issues include:

Missing outbound allow rules causing response traffic to be blocked.
Conflicting NSGs on subnet and network interface causing unexpected blocking.
Incorrect IP address prefixes that do not match client or server IPs.

✅

Key Takeaways

Check NSG rules for deny entries blocking your traffic.

Add explicit allow rules with correct ports and IP ranges.

Set rule priorities so allow rules take precedence over deny rules.

Test changes and use Azure tools to diagnose network issues.

Keep NSG rules clear and documented to avoid accidental blocks.