During VM creation, RDP open to Internet rule is bypassing NSG policy to deny inbound rule for 3389

Copper Contributor

3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP option is checked, Azure goes ahead and creates an any any inbound allow rule for 3389. How do I go about denying the VM creation when a user tries to apply this rule?

 

The current policy applies to:

"field": "type","in":

["Microsoft.Network/networkSecurityGroups/securityRules","Microsoft.Compute/virtualMachines","Microsoft.Compute/networkInterfaces"]

1 Reply