Forum Discussion

nabi04's avatar
nabi04
Brass Contributor
Jan 07, 2021

Azure NSG insecure inbound/Outbound access rules

Hello all, my Azure subscription has security groups that allow unrestricted inbound or outbound access on port and protocol combinations. Allowing unrestricted inbound/ingress or outbound/egress acc...
azure policy
network security groups
ibnmbodji's avatar
ibnmbodji
Iron Contributor
Jan 07, 2021

nabi04 

 

Hi you need to define a flow matrix to have a clear view which service talk to which service through wich protocol . Do we need to open port 80 while the service is a dns ? (Example). You also need to document all your NSG so people can see clearly what is the goal and don't create a rule a top of that . For group of servers create application security group to facilitate nsg rules management . 

 

You are exposed some kind of attacks only if you expose endpoints to the public . Sometimes you don't have choice but sometimes you don't need services publicly exposed and in this case make it private . 

One exercise you can do is also evaluate the risks according to the type of workloads and give a status of the remediation using Azure Defender .In fact builtin many security  policies are handled by Azure Defender formerly Azure Security Center . 

Resources