Azure – Error when adding new rule on NSG

Reading Time: 2 minutes

Hello everyone!

It’s been a while since I wrote something, but I was so busy with other things (University) and I wasn’t able to allocate time to write anything.

Today I’m going to talk about an issue I found on Azure when trying to add new rules to some NSGs.

To create rules in Azure I used this script from TechNet Gallery: https://gallery.technet.microsoft.com/scriptcenter/Create-Azure-Network-5f5c5332

Problem

I was trying to add some rules in an NSG with the address 193.23.120.230/30 and, when I execute the code, the output was:

Set-AzureRmNetworkSecurityGroup : Security rule has invalid Address prefix. Value provided: 193.23.120.230/30.
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : ‘b2f7-b2f7-b2f7’
At line:4 char:55
+ … efix 193.23.120.230/30 -SourcePortRange * | Set-AzureRmNetworkSecurityGroup
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [Set-AzureRmNetworkSecurityGroup], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.SetAzureNetworkSecurityGroupCommand

Tried again and again, and this only happened in certain NSGs, so well I thought there was a problem with the command line, I tried the same with the GUI and… the same.

Solution

Investigating the error it didn’t match with any of the new rules I was trying to add. Address 193.23.120.230/30 seems correct but if we use a subnet calculator, you will see this:

The right address should be deleting all ones after the netmask because it doesn’t care about what is after the netmask bits.

This means that the new address is 193.23.120.228/30 because we put zeros instead of ones after the netmask bits.

So, it seems a CIDN error! Seems that Azure let me add this rules in the past, but now it’s not accepting it so, if we change it the way that subnet calculator does, problem resolved!

Solution? Had to delete the non-compliant CIDR rules and added the new ones CIDR compliant. Executed the same in other NSGs and worked like a charm.
All rules are finally shown in Azure Panel:

Well, seems that Azure didn’t comply with CIDR addresses in the past and now it’s mandatory if it founds any non-compliant CIDR rule. An easy mistake that we can avoid checking our addresses before we try to add them to Azure.

And that’s all, Happy New Year!

Leave a Reply