Skip to content

Avoid denying all inbound traffic#

Operational Excellence · Network Security Group · Azure.NSG.DenyAllInbound

Avoid denying all inbound traffic.

Description#

Network Security Groups can be configured to block all inbound network traffic. Blocking all inbound traffic will fail load balancer health probes and other required traffic.

When using a custom deny all inbound rule, also add rules to allow permitted traffic. To permit network traffic, add a custom allow rule with a lower priority number then the deny all rule. Rules with a lower priority number will be processed first. 100 is the lowest priority number.

Recommendation#

Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added.


Last update: 2021-09-24