This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 61%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
All instances are healthy, and diagnostic does not find anything wrong.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Could you please let me know, how are you trying to connect? Is it Direct SSH to a VMSS instance public IP or through a Load Balancer?
You need to configure your VMSS and its Network Security Group (NSG) to permit inbound SSH (port22) traffic. The NSG may be configured for the VMSS, the individual subnet, or both.
If the VMSS is behind a Load Balancer, check that you have inbound NAT rules mapping a public port on the load balancer to port22 on individual VMSS instances.
Please check: https://ochzhen.com/blog/connect-to-azure-vmss-instances
Michele Ariis has provided additional information to your follow-up question. Did you get a chance to see it. If you have any further queries, let me know. If the information is helpful, please click on Upvote and Accept Answer on it.
I cannot change the security rule because that is managed by the org. I ended up killing the VMSS since nothing was working. Thanks for the help anyway
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, likely causes, fastest fixes: (1) How are you trying to SSH? A Load Balancer “backend pool” isn’t directly reachable, either use Bastion/private IP from a jump host, or expose SSH via the LB with Inbound NAT (per-instance) or an LB rule (not recommended for SSH). If you expect to hit the LB’s public IP, create an Inbound NAT pool mapping frontend ports (e.g., 50000-50099) → backend 22, attach it to the VMSS NIC config, then connect to ssh azureuser@<LB-PublicIP> -p <assignedPort> (get ports via az vmss list-instance-connection-info -g <rg> -n <vmss>). (2) NSGs/UDRs: With Standard LB the NSG must explicitly allow your client IP to TCP/22 on the VM NIC/subnet (the connection arrives with your real IP, not the service tag), and no UDR should blackhole return traffic. Don’t put a Deny above your allow-22 rule. (3) Public access disabled? If instances have no public IP and you didn’t set a NAT pool, you won’t reach them from the Internet; quickest path is Azure Bastion in the VNet or an internal jumpbox, then SSH to each VM’s private IP (az vmss nic list … to see them). (4) Guest OS firewall/SSH daemon: Ensure sshd is running/listening on 22 and distro firewall allows it (ufw status/firewall-cmd --list-ports); custom images often ship with SSH closed. (5) Auth mismatch: Use the exact username the image expects (e.g., azureuser) and the SSH key you configured for the VMSS; password auth may be disabled. (6) Health probe ≠ SSH: “Healthy” just means your probe port responded; it doesn’t prove 22 is reachable. (7) Quick triage: from a VM in the same VNet ssh <vm-private-ip>; if that works, it’s your edge/NAT/NSG; if not, it’s OS firewall/sshd/username/key. Easiest clean solution: enable Bastion (Standard tier), lock NSGs to deny 22 from Internet, and keep SSH private; if you must use the LB, add an Inbound NAT pool, allow 22 in NSGs from your office IPs, and verify with az vmss list-instance-connection-info.
I already have a nat rule setup (it was setup by default) but still I cannot ssh. I can ping the load balancer
I also have a nsg rule enabling to reach ports 50000-50120 from the scale set
What I see is that internet inbound traffic is blocked by security
I am using the Azure VPU to connect, so unless it is getting my public IP for some reason, this shouldn't be an issue but it's the only thing that looks suspicious to me
your Security admin configuration (Azure Virtual Network Manager) has an inbound Deny “BlockInternetNonProd” rule (prio 5) that blocks all Internet - any ports; security admin rules override NSGs, so your LB NAT SSH is dropped even though the VMSS/NSG look fine. Also your NSG rule that allows 50000-50120 from 34.138.136.118 won’t help—on a Standard LB inbound NAT keeps the client’s public IP, and on the NIC the traffic hits port 22, not 50000+. Fix: (1) In AVNM add a higher-priority Allow (prio <5) for TCP 22 (or a narrow source port range isn’t needed) from your source IP/CIDR to the VMSS subnet/ NICs, or exclude that subnet from the admin config; alternatively remove/disable the “BlockInternetNonProd” rule. (2) In the NSG, allow TCP 22 from your office/VPN egress IPs (not the LB IP); the NAT pool mapping (e.g., 50000-50119 → 22) is correct. (3) Verify mapping and test: az vmss list-instance-connection-info -g <rg> -n <vmss> then ssh azureuser@<LB_PIP> -p <frontendPort>; check effective rules on a VMSS NIC to confirm the admin deny no longer applies. If you’re connected via VPN inside the VNet, skip NAT and SSH to the private IP instead.