Block port 53 (DNS) in an Azure Network Security Group

At times, you may want to block all outgoing traffic from a VNet in Azure. You configure a Network Security Group (NSG) with a Deny All outgoing policy. Upon testing (because you always test...right?), you find that DNS and the Windows Licensing Key Management Service are still able to traverse the NSG.

What's up with that!?

There's actually also a third service (the Azure Instance Metadata service) that can do the same, and according to Microsoft,

Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. Effective security rules and effective routes will not include these platform rules.

However, the news is not all bad. The same article states that

To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM

So there you have it, now you can REALLY block all outgoing traffic from your VNet. Oh wait...there still isn't one for DHCP. 🤷‍♂️

A word of warning, these services are used to provide key support to your Azure workloads, so proceed with caution.

References

https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags

https://docs.microsoft.com/en-gb/azure/virtual-network/security-overview#azure-platform-considerations

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

Azure IP Address Type Confusion

Azure throws IP addressing terms and mechanisms into a bit of a spin, and it is worth looking closely at the terminology used.

Those of us from a traditional infrastructure background remember two types of IP address allocation in earlier days:

• Static
• Dynamic

Static addresses were assigned to a network interface manually, by a server administrator. Dynamic addresses were distributed automatically, using the Dynamic Host Configuration Protocol (DHCP). There was actually a third, middle ground, called reservations. Reservations effectively ensured DHCP issued the same address to the same network interface every time, making it a dynamically configured static address of sorts.

Azure throws this into a bit of a spin for some techs, and it is worth looking more closely at the terminology used, as it seems familiar, but can mean different things to what one might otherwise assume.

So how does it work then?

At the OS level, Microsoft recommends that, except under very special circumstances, all network interfaces be set to use DHCP, so from the get-go, everything is dynamic to some degree.

At the Azure level, the terms private and public are applied, along with the terms static and dynamic.

Private IPs fall within the standard range of addresses reserved for private use:

• 192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
• 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
• 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

Public IPs are basically any address outside of those ranges. There are a few other reserved addresses, but we're not going to talk about those today.

In Azure, both private and public IPs can be either static or dynamic. However, the meanings for static and dynamic are not fully consistent between private and public addresses. 

Sum It Up

Here is the low down on how each configuration works within Azure:

Private IP

Static:

• You select exactly which IP in the range you want.
• Will it change? No. It will only be given back when the NIC it is assigned to is destroyed.
• In the OS, NIC IP address is set to DHCP

Dynamic:

• You let Azure select which IP in the range you get.
• Will it change? No. It will only be given back when the NIC it is assigned to is destroyed.
• In the OS, NIC IP address is set to DHCP

Public IP

Static:

• You get whatever Azure allocates to you.
• Will it change? No. It will only be given back when the Public IP Address resource it is part of is destroyed.
• In the OS, NIC never sees this address. NAT is used to send traffic to the NIC's private IP address instead.

Dynamic:

• You get whatever Azure allocates to you.
• Will it change? Yes, potentially, but I don't remember the scenarios. I need to find out and edit this article.
• In the OS, NIC never sees this address. NAT is used to send traffic to the NIC's private IP address instead.

Conclusion

So there you have it. Azure has four main types of IP address split between public and private, and dynamic and static. Understanding the difference is important, to ensure you get the result you want and don't waste time on tasks you don't need to. Now what happens if you want to assign multiple IP addresses to a single NIC? That's a question for another post.