During VM creation, RDP open to Internet rule is bypassing NSG policy to deny inbound rule for 3389

Question

3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP option is checked, Azure goes ahead and creates an any any inbound allow rule for 3389. How do I go about denying the VM creation when a user tries to apply this rule?

The current policy applies to:

"field": "type","in":

["Microsoft.Network/networkSecurityGroups/securityRules","Microsoft.Compute/virtualMachines","Microsoft.Compute/networkInterfaces"]

kidd_ip · Answer

onetypicaluser&nbsp;
&nbsp;
Refer to this:
&nbsp;
https://markgossa.com/2018/11/azure-policy-deny-inbound-rdp-from.html
&nbsp;

Forum Discussion

During VM creation, RDP open to Internet rule is bypassing NSG policy to deny inbound rule for 3389

1 Reply

Resources