555 votes37 comments · Networking » Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →under review · AdminAzure IaaS Engineering Team (Azure IaaS Engineering Team, Microsoft, Microsoft Azure) responded
We are always looking at enhancing the network functionality.Darren commented
This is possible - in the Inbound Rules for the Network Security Group, create duplicates of the default rules for azure firewalls/networks within the user configurable ID range (eg. give duplicate of AllowVnetInbound an ID of 1000, and then a duplicate of
AllowAzureLoadBalancerInBound an ID of 1002), and then after those, create rule to deny TCP with ID of 1003, another rule to deny UDP of ID 1003, and then a last rule to allow any/any/any in ID 1004. This will block TCP/UDP on any non-specified ports, but ICMP _will_ be allowed as a result of the allow any/any/any rule. Adjust the IDs to suit, but the order is important.