Hi all,

We've been happily running a vMX (M) appliance in Azure for the last 3 months to extend our multi-site MX AutoVPN infra into the cloud - in Passthrough/VPN Concentrator mode.

Although i'm aware it's a grey area (and/or possibly not supported!) - I was looking at deploying an NSG to the SD-WAN subnet to at least block common mgmt ports (22, 3389) and port 80 etc - mainly to satisfy our compliance and security tooling.  

As soon as I associated an NSG to the subnet (even prior to defining any inbound/outbound deny rules...) - i lost connectivity to/from on-premises networks - unable to even ping the internal IP of the vMX or any resources in the hub and spoke.

Is this a known issue?  Again, i'm aware that an NSG is probably not required given the nature of the VM/appliance - but then i'm also aware that people from these forums HAVE been able to apply an NSG successfully with a deny-all rule - allowing only the necessary ports inbound (443TCP, 500UDP, 4500UDP, 9350-9381UDP and 32768-61000UDP) for IPsec, AutoVPN traffic etc...Have people applied an NSG at the subnet, or the NIC...?

I've enabled VNet flow logs on the SD-WAN subnet to see if I can work out exactly what the traffic looks like flowing through the vMX - but it might take a few days to gather enough data.

Thanks.