| Name | Deny NSG rule inbound from internet - Network Security Group Community-Policy GitHub |
|||||||||||||||||||||||||||||||||||
| Id | network_deny-nsg-rule-inbound-from-internet-can-check-if-port-is-present-in-range_network-security-group | |||||||||||||||||||||||||||||||||||
| Version | n/a details on versioning |
|||||||||||||||||||||||||||||||||||
| Category | undefined Microsoft docs |
|||||||||||||||||||||||||||||||||||
| Description | This Policy will detect if an NSG rule would allow a port or set of ports to be accessed from outside of an IP whitelist. This will check Service Tags as well as Port Ranges. Example, if you specify port 22 in the parameter for this Policy, and only allow communications from 10.0.0.0/8, and someone creates a rule that allows ports 20-30 inbound from 20.x.x.x, this would be denied as 22 falls within that port range and 20.x.x.x is not on the IP whitelist. This Policy is part of a set of policies. Both must be applied for this to cover all possible ways an NSG rule can be created. | |||||||||||||||||||||||||||||||||||
| Mode | All | |||||||||||||||||||||||||||||||||||
| Type | Custom Community | |||||||||||||||||||||||||||||||||||
| Effect | Default Audit Allowed Audit, Deny, Disabled |
|||||||||||||||||||||||||||||||||||
| Used RBAC Role | none | |||||||||||||||||||||||||||||||||||
| Rule Aliases | IF (6)
|
|||||||||||||||||||||||||||||||||||
| Rule ResourceTypes | IF (1) Microsoft.Network/networkSecurityGroups |
|||||||||||||||||||||||||||||||||||
| JSON |
|