May 19 2019
08:27 AM
- last edited on
May 24 2021
02:35 PM
by
TechCommunityAP
May 19 2019
08:27 AM
- last edited on
May 24 2021
02:35 PM
by
TechCommunityAP
After looking at Azure Security Center recommendations that not all my VM's have NSG's and probably a policy I need to create requiring it. On the ones that do created there are three rules that are automatically created.
The first one which is basically a allow all rule, and not sure if I missing something, but when looking at that rule you would never get to the deny rule. The reason I'm saying this is because when you look at the source/destination of the Virtual network its 0.0.0.0/0 which is basically any.
While Azure does come with a default set of service tags, all that does it put the source/destination in for you by using that tag. If you never want to get to these rules, then you really need to put rules ahead of them if traffic needs to be restricted.
The other issue I have with NSG's that its like the old firewall days where its Source (IP), Destination (IP) and Ports, compared to most of your NGFW's, that have become Application based especially for those applications that use multiple ports/dynamic ports.
While I'm not an expert on this, this is just some of my 2 cents on it.
May 20 2019 12:45 PM
SolutionMay 20 2019 05:20 PM
That was a good blog post.
I currently am using a NGFW inside of Azure, but because I don't have security groups applied to ever VM, it gives me a recommendation about it.
May 20 2019 11:20 PM
May 20 2019 12:45 PM
Solution