There is an issue seen in Hyperv where Security Groups update does not work correctly. This is not seen always but sometimes (the behaviour is indeterministic). Investigation shows that rules are getting created and flushed as expected on the compute node but still we see traffic flowing for blocked protocols.
Problem Description: There are two Security Groups (SG1 and SG2), SG1 has a rule to allow SSH connection whereas SG2 does not has any SSH related rules which means SSH will be blocked by default. Booting a VM with SG1 rules results in SSH allowed to VM which is perfectly fine. Now for the same VM we moved from SG1 to SG2, the expectation is that any new SSH connection will not be allowed to the VM but actually sometimes we see SSH is allowed even though SSH rules are not present for the VM. We validated the absence of rules for the VM via powershell command and found to be SSH rules NOT existing which means rules are getting flushed but still SSH is happening which indicates a windows issue.
It gives a feeling as if rules were flushed but somewhere in cache it does exists.