![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 94%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 42%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Thank you for reaching out on Microsoft Q&A forum.
To your query: Block inbound traffic https 80 and udp port 53 to the Public IP of a vMX-S appliacnce.
Please Check NSG Rules:
Ensure that the NSG associated with your vMX-S appliance's subnet has inbound rules set to deny traffic on both port 80 (HTTP) and port 53 (UDP).
Navigate to the NSG in the Azure portal, go to the “Inbound security rules”, and add rules to block these ports if they aren’t already configured.
Meraki Firewall Rules:
1.Ensure that your Meraki firewall rules are correctly configured that allow only specified inbound connections. Sometimes firewall rules need to be explicitly set in both Azure and at the device level.
2.Meraki MX appliances—including vMX-S—use stateful firewalls, which means inbound traffic is only allowed if it’s part of an existing session initiated from inside the network.
So for blocking unwanted inbound traffic ( HTTP/UDP requests from the internet), you must ensure that no Port Forwarding or 1:1 NAT rules are unintentionally allowing traffic.
User Defined Routes:
1.UDRs can route traffic through a virtual appliance like a firewall.
2.Ensure that traffic destined for the vMX-S public IP is routed through a firewall that enforces the block.
IP Forwarding
If your vMX-S is acting as a network virtual appliance (NVA), IP forwarding must be enabled on its NIC.
Network Watcher:
1.By Utilizing Azure Network Watcher check for allowed and denied inbound connections to see if any NSG rules or other filters are blocking the intended traffic.
2.Use tools like Test-NetConnection and Azure’s Connection Troubleshoot to simulate traffic and identify where it’s being dropped.
Azure Firewall:
1.If you're using Azure Firewall, consider configuring Destination Network Address Translation (DNAT) rules to filter inbound traffic. This can allow you to set specific policies regarding allowed or denied traffic.
2.Azure Firewall policies should include network rules that explicitly block traffic on ports 80 and 53.
If you find this comment helpful, Please “up-vote” for the information provided , this can be beneficial to community members.
Please let us know if you have any further queries.
Thanks