Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Azure Instance: Why are NSG enforced?

    Scheduled Pinned Locked Moved
    Virtualization
    1
    1
    278
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Morlock
      last edited by

      Hi,

      Some time ago, I needed cloud-hosted pfSense instances that terminate IPsec VPN and tried the Netgate image on Azure.
      However, this image forces you to create a VM with a an "Advanced" setting for the network security group (whereas "None" and "Basic" would be available).
      If you follow this process and try to expose the IPsec VPN on your pfSense, you will notice that this is not possible, because the NSG allows to pass through TCP, UDP or "*" (TCP, UDP and ICMP), but no ESP. I took this as an Azure limitation and moved to AWS with the project.

      Now I was involved in planning an Azure infrastructrue with a different firewall appliance (Fortigate). I claimed we couldn't do that because we couldn't put the required IPsec VPN on the firewall. It turned out that our consultants have been running this setup with IPsec VPN for years, and the reason apparently is, that the Fortigate image does not have a NSG in front of it.

      Why is Netgate enforcing this setting? It is a real dealbreaker for many use cases.

      Thanks,
      M

      1 Reply Last reply Reply Quote 0
      • First post
        Last post