Confusing explanation for firewall configuration

[ciufudean]

The start of this section https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16#scope-of-ip-address-1686312916 mentions outbound

We recommend that you allow this IP address in any local (in the VM) firewall policies (outbound direction)

but to me the health probes mentioned lower on the page do inbound traffic (from the point of view of the VM)

When the VM is part of a load balancer backend pool, health probe communication should be allowed to originate from 168.63.129.16

Am I right?

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 2763b53f-2a31-cccf-8aaf-f082ebaeaad3
• Version Independent ID: 2cb6ee38-1d54-412f-a91c-a0e60000f3c9
• Content: What is IP address 168.63.129.16?
• Content Source: articles/virtual-network/what-is-ip-address-168-63-129-16.md
• Service: virtual-network
• GitHub Login: @asudbring
• Microsoft Alias: allensu

[PesalaPavan]

@ciufudean
Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

@ciufudean
The health probes mentioned on the page are inbound traffic from the point of view of the VM. The health probes originate from the IP address 168.63.129.16 and must not be blocked for probes to mark your instance as up. To see this probe traffic within your backend instance, you can review the Azure Load Balancer FAQ.

The recommendation to allow this IP address in any local (in the VM) firewall policies (outbound direction) is for DNS services. If you want to use DNS services provided by 168.63.129.16, you should allow outbound traffic to 168.63.129.16 ports 53/udp and 53/tcp in the local firewall on the VM.

[SaibabaBalapur-MSFT]

@ciufudean
We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.