If you have upgraded to the latest Windows Azure PowerShell - June 2013 (0.6.15), you can view the Endpoint ACL'ing support for Virtual Machines. When configuring your ACL on an endpoint, it is possible the ACL may not work properly and all traffic may continue
to flow. The scenarios where this can occur are:
1) You are applying ACL on a load balanced endpoint which has the same port number for local port & probe port.
2) You are adding an endpoint (with an ACL) to a load balanced endpoint set where the port number for the probe port and the local port are the
same.
3) You are adding a new endpoint (load balanced) to a VM, which has - a) The same probe port & local port & b) Endpoint ACL configuration.
For Example, the following configuration for an endpoint would not completely work
LBSetName : SQLEndpoint-LB
LocalPort : 1433
Name : SQLEndpoint
Port : 1433
Protocol : tcp
Vip : 137.116.141.80
ProbePath :
ProbePort : 1433
ProbeProtocol : tcp
ProbeIntervalInSeconds : 15
ProbeTimeoutInSeconds : 31
EnableDirectServerReturn : False
Acl : {Rule Description}
Workaround
With the new Windows Azure PowerShell release, you can use the Set-AzureLoadBalancedEndpoint cmdlet to modify the settings of a load-balanced endpoint. To work around the problem, you can change the probe port of the endpoint as shown in the example below.
Note the change in the ProbePort setting from 1433 to 59999.
Defining an ACL configuration object
PS C:\> $acl = New-AzureAclConfig
Setting the ACL rule on the configuration object
PS C:\> Set-AzureAclConfig -AddRule -ACL $acl Permit 168.61.69.228/32 1 "Rule Description"
Ensure that the LocalPort & ProbePort have different port numbers when the ACL is applied on a load balanced endpoint.
PS C:\> Set-AzureLoadBalancedEndpoint -ServiceName MySQlService -LBSetName SQLEndpoint-LB -Protocol TCP -PublicPort 1433 -LocalPort 1433 -ProbeProtocolTCP -ProbePort
59999 -DirectServerReturn 0 -ACL $acl -ProbeIntervalInSeconds 15 -ProbeTimeoutInSeconds 31