Public IPs attached#
Security · Virtual Machine Scale Sets · Rule · 2024_09 · Critical
Avoid attaching public IPs directly to virtual machine scale set instances.
Description#
Attaching a public IP address to a virtual machine network interface (NIC) exposes it directly to the Internet. This exposure can make the virtual machine scale set instance vulnerable to unauthorized inbound access and security compromise. Minimize the number of Internet ingress/ egress points to enhance security and reduces potential attack surfaces.
For enhanced security, consider one or more of the following options:
- Secure remote access — by RDP or SSH to virtual machine scale set instances can be configured through Azure Bastion.
- Azure Bastion provides a secure encrypted connection without exposing a public IP.
- Exposing web services — by HTTP/S can be configured by App Gateway or Azure Front Door (AFD).
- App Gateway and AFD provide a secure reverse proxy that supports web application firewall (WAF) filtering.
- Internet connectivity — should be managed through a security hardened device such as Azure Firewall.
- This option also allows additional controls to be applied for east/ west and north/ south traffic filtering.
- Alternatively a Network Virtual Appliance (NVA) can used.
Recommendation#
Evaluate alternative methods for inbound access to virtual machine scale set instances to enhance security and minimize risk.
Configure with Azure template#
To deploy virtual machine scale sets that pass this rule:
- For each interface configuration specified in the
properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations.ipConfigurationsproperty:- For each IP configuration specified in the
properties.ipConfigurationsproperty:- Ensure that the
properties.publicIPAddressConfiguration.nameproperty does specify a public IP address.
- Ensure that the
- For each IP configuration specified in the
For example:
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2023-09-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "b2ms",
"tier": "Standard",
"capacity": 3
},
"properties": {
"virtualMachineProfile": {
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "nic-001",
"properties": {
"primary": true,
"ipConfigurations": [
{
"name": "nic-001-defaultIpConfiguration",
"properties": {
"privateIPAddressVersion": "IPv4",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
},
"primary": true
}
}
]
}
}
]
}
}
}
}
Configure with Bicep#
To deploy virtual machine scale sets that pass this rule:
- For each interface configuration specified in the
properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations.ipConfigurationsproperty:- For each IP configuration specified in the
properties.ipConfigurationsproperty:- Ensure that the
properties.publicIPAddressConfiguration.nameproperty does specify a public IP address.
- Ensure that the
- For each IP configuration specified in the
For example:
resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
name: name
location: location
sku: {
name: 'b2ms'
tier: 'Standard'
capacity: 3
}
properties: {
virtualMachineProfile: {
networkProfile: {
networkInterfaceConfigurations: [
{
name: 'nic-001'
properties: {
primary: true
ipConfigurations: [
{
name: 'nic-001-defaultIpConfiguration'
properties: {
privateIPAddressVersion: 'IPv4'
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName)
}
primary: true
}
}
]
}
}
]
}
}
}
}
Links#
- SE:06 Network controls
- Plan for inbound and outbound internet connectivity
- Networking for scale sets
- Public IPv4 per virtual machine
- Azure Bastion
- Azure deployment reference - VMSS
- Azure deployment reference - VMSS instance