Forum Discussion
Deny traffic between VNETs when using peering Bastion Host VNET?
Like many fans of Bastion Host, I was really excited to see that Bastion Host can be used across peered VNETs.
I gave this a bit of thought before going ahead and seeking thoughts on below.
If I'm peering a VNET from the Bastion Host VNET to a bunch of other VNETs solely for this purpose, e essentially increasing our attack surface after opening up all traffic between the VNETs (even without allowing gateway transit).
The situation I envisaging is that if 1 VMs in a peered subnet is compromised (not via RDP), attacker can use lateral movement using any port other than 22/3389 to attack other VMs.
Naturally I can't ammend the default any-any rule for VNETs in the NSG.
So I see 2 options really.
1. Add an explicit deny-all rule for inbound from the VNET (lower priority of course than inbound allowing 22/3389 from Bastion Subnet)
2. Don't be so overly cautious and do nothing!
Keen for thoughts and feedback!
- You could add a Deny All if you worried about it, then look at Application Security groups to group your servers and only allow specific traffic between them (ie between App and DB servers only).
Then it is visibility, so either a Network Virtual Appliance or look at implementing Traffic Analytics - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics- Thanks Luke. That's a bit better, but unless I'm mistaken, doesn't address the main issue.
In my scenario, the peering is purely for Bastion Host, no need for any traffic between the VMs directly. So specifying which traffic between the VMs is allowed won't address this.
