Avoid rules that allow any inbound source#
Network security groups (NSGs) should avoid rules that allow any inbound source.
NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.
When defining custom rules, avoid using rules that allow any inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.
When inbound network traffic from the Internet is intended also consider the following:
- Use Application Gateway in-front of any web application workloads.
- Use DDoS Protection Standard to protect public IP addresses.
Consider updating inbound rules to use a specified source such as an IP range or service tag.
If inbound access from Internet-based sources is intended, consider using the service tag
- Best practices for endpoint security on Azure
- Network Security Groups
- Logically segment subnets
- What is Azure Application Gateway?
- Azure DDoS Protection Standard overview
- Azure template reference