Share via

Access URL via Azure VPN

Mihiran Priyankara 40 Reputation points
2026-04-13T14:11:50.7866667+00:00

I have an application running on an Azure Linux VM with a public IP and DNS (cfgea.xxx.cloudapp.azure.com). I need to access this URL only through an Azure VPN connection, and it should not be accessible publicly without the VPN.
VM Private IP 10.xx.5
VPN GAtewau ip 192.xx.0./24
waht is the best NSG ruke

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 11,555 Reputation points Microsoft External Staff Moderator
    2026-04-17T04:13:29.96+00:00

    Hello Mihiran Priyankara

    We understand that you want the application hosted on the Azure Linux Virtual Machine (cfgea.xxx.cloudapp.azure.com) to be accessible only when users connect through an Azure VPN, and not directly from the public internet.

    To achieve this, we suggest configuring Network Security Group (NSG) rules to restrict inbound traffic to the Virtual Machine. The NSG should allow access only from the VPN client address pool (such as 192.xx.0.0/24), which is assigned to users once they connect to the VPN.

    Create a inbound NSG rule with the lowest priority in the source section add your VPN client address range (192.x.0.0/24). Set the source port to *, and for the destination, you can specify your VM's private IP. If you want the VPN address range to access all resources in the VNET, set the destination to any. Choose TCP as the protocol and set the destination port according to your requirements.

    With these settings, only users connected through the Azure VPN will be able to access the application, while direct access from the public internet will be blocked. For additional security, you could also remove the public IP address from the Virtual Machine and use its private IP address over the VPN connection, which would prevent any public exposure of the application.

    Check the below document for more understanding:
    Azure network security groups overview

    https://learn.microsoft.com/en-us/archive/blogs/igorpag/azure-network-security-groups-nsg-best-practices-and-lessons-learned

    Create, change, or delete a network security group

    I hope the above answer helps you! Please let us know if you have any further questions.

    Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

    0 comments
  2. Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator
    2026-04-13T17:04:12.7966667+00:00

    Hi @ Mihiran Priyankara,

    Welcome to Microsoft Q&A Platform.

    It sounds like you want to lock down your Linux VM so that only clients coming in over your Azure VPN (192.xx.0/24) can hit its public DNS/IP, and block everyone else. You can do this entirely with an NSG on the VM’s NIC or subnet. Here’s a straightforward approach:

    Associate an NSG to your VM’s network interface (or the subnet containing it).

    In that NSG, create two inbound rules for your application ports (for example, TCP 80/443 or whatever your app listens on):

    • Priority 100 – Allow – Source: 192.x.0.0/24 (your VPN client address pool) – Source port: * – Destination: Any (or the VM’s private IP 10.10.1.5) – Destination port: the ports your app uses (e.g. 80,443) – Protocol: TCP
    • Priority 200 – Deny – Source: Any – Source port: * – Destination: Any (or 10.x.1.5) – Destination port: same app ports (80,443) – Protocol: TCP
    • (Optional) If you need SSH over the VPN, repeat the same pattern for port 22: allow from 192.168.0.0/24 then deny from Any.
    • With this config, the VM technically still has a public IP, but the NSG will silently drop any traffic that isn’t coming from your VPN address pool.

    Reference docs:

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Q&A Assist
    2026-04-13T14:12:04.85+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To restrict access to the VM so that it’s reachable only over Azure VPN, traffic must come from the VPN address space and not from the public internet. The NSG should therefore allow only the VPN subnet as source and deny all other inbound traffic.

    Example NSG approach (inbound rules on the VM subnet or NIC):

    1. Allow VPN subnet to VM (SSH/web/etc.)
      • Priority: 100 (or other low number)
      • Direction: Inbound
      • Protocol: Tcp
      • Source: IP Addresses
      • Source address prefix: 192.168.0.0/24 (VPN client subnet)
      • Source port ranges: *
      • Destination: Any or the VM’s subnet
      • Destination port ranges: the ports the app needs (for example 22, 80, 443)
      • Access: Allow
    2. Deny all other inbound traffic
      • Priority: higher than the allow rules (for example 300)
      • Direction: Inbound
      • Protocol: Tcp (or Any if all protocols must be blocked)
      • Source: *
      • Source port ranges: *
      • Destination: *
      • Destination port ranges: *
      • Access: Deny

    This pattern matches the documented example where specific allowed traffic is permitted first, and then a deny-all rule blocks everything else while still allowing the required flows:

    • Allow from a specific subnet (here, the VPN subnet) to the VM ports.
    • Then use a lower-priority deny-all rule to block all other inbound traffic.

    Also ensure:

    • The NSG is associated with the VM’s subnet or NIC so the rules apply.
    • Public access to the app is effectively blocked by these NSG rules, even though the VM has a public IP.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.