Azure VM guest OS firewall is misconfigured
This article introduce how to fix misconfigured guest operating system firewall on Azure VM.
Symptoms
The virtual machine (VM) Welcome screen shows that the VM is fully loaded.
Depending on how the guest operating system is configured, there could be some or no network traffic reaching the VM.
Cause
A misconfiguration of the guest system firewall can block some or all kinds of network traffic to the VM.
Solution
Before you follow these steps, take a snapshot of the system disk of the affected VM as a backup. For more information, see Snapshot a disk.
To troubleshoot this issue, use the Serial Console or repair the VM offline by attaching the system disk of the VM to a recovery VM.
Online mitigations
Connect to the Serial Console, and then open a PowerShell instance. If the Serial Console is not enabled on the VM, go to the "Repair the VM Offline" section of the following Azure article:
An internal error occurs when you try to connect to an Azure VM through Remote Desktop
The following rules can be edited to either enable access to the VM (through RDP) or to provide an easier troubleshooting experience:
Remote Desktop (TCP-In): This is the standard rule that provides primary access to the VM by allowing RDP in Azure.
Windows Remote Management (HTTP-In): This rule enables you to connect to the VM by using PowerShell., In Azure, this kind of access lets you use the scripting aspect of remote scripting and troubleshooting.
File and Printer Sharing (SMB-In): This rule enables network share access as a troubleshooting option.
File and Printer Sharing (Echo Request - ICMPv4-In): This rule enables you to ping the VM.
In the Serial Console Access instance, you can query the current status of the firewall rule.
Query by using the Display Name as a parameter:
netsh advfirewall firewall show rule dir=in name=all | select-string -pattern "(DisplayName.*<FIREWALL RULE NAME>)" -context 9,4 | moreQuery by using the Local Port that the application uses:
netsh advfirewall firewall show rule dir=in name=all | select-string -pattern "(LocalPort.*<APPLICATION PORT>)" -context 9,4 | moreQuery by using the Local IP address that the application uses:
netsh advfirewall firewall show rule dir=in name=all | select-string -pattern "(LocalIP.*<CUSTOM IP>)" -context 9,4 | moreIf you see that the rule is disabled, you can enable it by running the following command:
netsh advfirewall firewall set rule name="<RULE NAME>" new enable=yesFor troubleshooting, you can turn the firewall profiles OFF:
netsh advfirewall set allprofiles state offIf you do this to set the firewall correctly, re-enable the firewall after you finish your troubleshooting.
Note
You don't have to restart the VM to apply this change.
Try again to connect to the VM through RDP.
Offline Mitigations
To enable or disable firewall rules, refer to Enable or disable a firewall rule on an Azure VM Guest OS.
Check whether you are in the Guest OS firewall blocking inbound traffic scenario.
If you are still in doubt about whether the firewall is blocking your access, refer to Disable the guest OS Firewall in Azure VM, and then re-enable the guest system firewall by using the correct rules.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for