I have a NSG for controlling inbound traffic to my VM. One of the rules controls inbound TCP traffic on port 5061. We only want traffic to come from a specific group of external IP addresses, otherwise the traffic will be dropped.

Is there a way to have a group of ip addresses defined for the source entry of the rule where I can easily modify that list after the rule is created? I thought that Azure IP Groups would be the answer but that is not an option in the drop down list.

This is a common feature for most firewall appliances I have used.

Thank you.

CodePudding user response：

You can use an Azure Network Security Group (NSG) with a source IP address prefix that references an Azure Virtual Network (VNet) address space.

You can create a subnet in a VNet, and assign the IP addresses that you want to allow traffic from to that subnet. Then, in your NSG rule, you can use the source IP address prefix of the subnet as the source IP address

P.s Azure Firewall and Azure Front Door Service both allow you to define IP address groups as well, as part of their configuration.

CodePudding user response：

Unfortunately, NSG's do not offer this functionality. Although you can specify multiple source (public or private) IP addresses within one NSG rule, you would always have to modify that particular rule when you need to change the list of IP addresses, which makes it a little inconvenient - particularly if you use the same list of IP addresses across multiple NSG's. Services like Azure Firewall do have such functionality and, like you mentioned, 3rd parties offer this as well. But those services come with additional costs.