Skip to content

Avoid rules that allow any as an inbound source#

Security · Network Security Group · Rule · 2020_06 · Critical

Network security groups (NSGs) should avoid rules that allow "any" as an inbound source.

Description#

NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.

When defining custom rules, avoid using rules that allow any as the inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.

When inbound network traffic from the Internet is intended also consider the following:

  • Use Application Gateway in-front of any web application workloads.
  • Use DDoS Protection Standard to protect public IP addresses.

Recommendation#

Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.

Examples#

Configure with Azure template#

To deploy Network Security Groups that pass this rule:

  • Set the sourceAddressPrefix or sourceAddressPrefixes property to a value other then * for inbound allow rules.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/networkSecurityGroups",
  "apiVersion": "2023-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "securityRules": [
      {
        "name": "AllowLoadBalancerHealthInbound",
        "properties": {
          "description": "Allow inbound Azure Load Balancer health check.",
          "access": "Allow",
          "direction": "Inbound",
          "priority": 100,
          "protocol": "*",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "AzureLoadBalancer",
          "destinationPortRange": "*",
          "destinationAddressPrefix": "*"
        }
      },
      {
        "name": "AllowApplicationInbound",
        "properties": {
          "description": "Allow internal web traffic into application.",
          "access": "Allow",
          "direction": "Inbound",
          "priority": 300,
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "10.0.0.0/8",
          "destinationPortRange": "443",
          "destinationAddressPrefix": "VirtualNetwork"
        }
      },
      {
        "name": "DenyAllInbound",
        "properties": {
          "description": "Deny all other inbound traffic.",
          "access": "Deny",
          "direction": "Inbound",
          "priority": 4000,
          "protocol": "*",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationPortRange": "*",
          "destinationAddressPrefix": "*"
        }
      },
      {
        "name": "DenyTraversalOutbound",
        "properties": {
          "description": "Deny outbound double hop traversal.",
          "access": "Deny",
          "direction": "Outbound",
          "priority": 200,
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "VirtualNetwork",
          "destinationAddressPrefix": "*",
          "destinationPortRanges": [
            "3389",
            "22"
          ]
        }
      }
    ]
  }
}

To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

Azure Template snippet
{
  "type": "Microsoft.Network/applicationSecurityGroups",
  "apiVersion": "2023-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {}
}

Configure with Bicep#

To deploy Network Security Groups that pass this rule:

  • Set the sourceAddressPrefix or sourceAddressPrefixes property to a value other then * for inbound allow rules.

For example:

Azure Bicep snippet
resource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
  name: name
  location: location
  properties: {
    securityRules: [
      {
        name: 'AllowLoadBalancerHealthInbound'
        properties: {
          description: 'Allow inbound Azure Load Balancer health check.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 100
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: 'AzureLoadBalancer'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'AllowApplicationInbound'
        properties: {
          description: 'Allow internal web traffic into application.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 300
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: '10.0.0.0/8'
          destinationPortRange: '443'
          destinationAddressPrefix: 'VirtualNetwork'
        }
      }
      {
        name: 'DenyAllInbound'
        properties: {
          description: 'Deny all other inbound traffic.'
          access: 'Deny'
          direction: 'Inbound'
          priority: 4000
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: '*'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'DenyTraversalOutbound'
        properties: {
          description: 'Deny outbound double hop traversal.'
          access: 'Deny'
          direction: 'Outbound'
          priority: 200
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: 'VirtualNetwork'
          destinationAddressPrefix: '*'
          destinationPortRanges: [
            '3389'
            '22'
          ]
        }
      }
    ]
  }
}

To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

Azure Bicep snippet
resource asg 'Microsoft.Network/applicationSecurityGroups@2023-09-01' = {
  name: name
  location: location
  properties: {}
}

Comments