May 19 2019
- last edited on
May 24 2021
After looking at Azure Security Center recommendations that not all my VM's have NSG's and probably a policy I need to create requiring it. On the ones that do created there are three rules that are automatically created.
The first one which is basically a allow all rule, and not sure if I missing something, but when looking at that rule you would never get to the deny rule. The reason I'm saying this is because when you look at the source/destination of the Virtual network its 0.0.0.0/0 which is basically any.
While Azure does come with a default set of service tags, all that does it put the source/destination in for you by using that tag. If you never want to get to these rules, then you really need to put rules ahead of them if traffic needs to be restricted.
The other issue I have with NSG's that its like the old firewall days where its Source (IP), Destination (IP) and Ports, compared to most of your NGFW's, that have become Application based especially for those applications that use multiple ports/dynamic ports.
While I'm not an expert on this, this is just some of my 2 cents on it.
May 20 2019 12:45 PMSolution
May 20 2019 11:20 PM