Azure Virtual Machine has no public IP yet can access the internet

azure azure-networking

7,082

It uses NAT to connect to the outside world, the same as most home PCs do. If you look at your own PC, you will most likely find that it also uses a private address. Basically, the router forwards the connection to the destination, for the target host the connection seems to originate from the router.

This usually works well, what is difficult is the other way, if you want outside hosts to connect to the host that doesn't have a public address.

7,082

Author by

Callum Linington

I'm a professional software developer, C#, .NET stack and Web Development. I love rugby, play rugby, breathe rugby. Music lover, Gym lover/hater.

Updated on September 18, 2022

Comments

Callum Linington almost 2 years
I have a Virtual Machine which is connected to a Virtual Network. The Virtual network has 2 attached devices, and Virtual Network Gateway and a Network Interface.

Only the Virtual Network Gateway has a Public IP address (apparently used so Point-to-Site can access it).

The Virtual Network has two Subnets, a Gateway Subnet so I can VPN to it and an "Internal Subnet" one used to connect azure resources to each other internally.

So the configuration for the Virtual Machine shows no Public IP address, but it does show the Virtual Network it is connected to.

So how come my Virtual Machine still connect to the outside world?

If I do an ifconfig it shows:
```
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.10.4  netmask 255.255.255.0  broadcast 192.168.10.255
    inet6 fe80::222:48ff:fe07:e7da  prefixlen 64  scopeid 0x20<link>
    ether 00:22:48:07:e7:da  txqueuelen 1000  (Ethernet)
    RX packets 47292  bytes 58161743 (58.1 MB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 14277  bytes 2886277 (2.8 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```
So clearly it shows it is connected to my subnet in the Virtual Network via the Network Interface which has no Public IP.

I wonder because, when I set up the Network Security Group, I allow port 22 so I can SSH through my VPN, the NSG says this is exposed to the outside world, is it the NSG that is still allowing the internet in? or the fact that I've allowed port 80 on the NSG. If so do I even need an NSG to open these ports if I'm connecting through the Virtual Networt Gateway?

How do I only expose port 22 to my internal subnets (a.k.a my Virtual Network Gateway) and not the outside world?
- Admin almost 6 years
  
  A connection can be established from any host in the the Internet to your VM or a connection can be established from your VM to some host in the Internet?
- Admin almost 6 years
  
  if you'll run: ip r s | grep default you'll see the route your server is using to access the internet.
- Admin almost 6 years
  
  you don't need a Public IP Address to have internet on your VM. Public IP is for inbound traffic only, not outbound. Outbound traffic is NATed to your VM. If you want to block internet outbound access, you have to change the NSG. By default, outbound to internet is enabled.
- Admin almost 6 years
  
  Ahh makes a lot of sense!