Load Balancer should drop all packets for ports not configured
Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB as it was provided by Azure as part of the Azure AD service but regardless of the config, I should not be seeing any ports in my flow logs other than the one(s) configured in the LB Inbound NAT rules. All others should be dropped (by the LB) before they can get to my NSG. Otherwise it begs the question of what is happening to all such packets not configured for the LB?
Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.