⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Azure → 📁 Virtual Machine
🛡️ Azure Virtual Machine allows public access to HTTP(S) ports🟢
- Contextual name: 🛡️ Virtual Machine allows public access to HTTP(S) ports🟢
- ID:
/ce/ca/azure/virtual-machine/allows-unrestricted-http-traffic - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Description
Description
Ensure that Azure Virtual Machines are not configured with Network Security Group (NSG) rules that allow unrestricted inbound access to HTTP (port 80) and HTTPS (port 443) from the public internet. Inbound access to these ports should be restricted to trusted IP address ranges or fronted by secure services such as Azure Application Gateway or Azure Front Door to reduce exposure and maintain a strong security posture.
Rationale
NSGs are critical components for controlling network traffic to and from Azure resources. Inbound access to ports 80 (HTTP) and 443 (HTTPS) from any source (
0.0.0.0/0,::/0) significantly increases the attack surface of a virtual machine and may allow unauthenticated access to web applications or services. Periodically auditing NSG rules and restricting internet exposure to only what is strictly necessary is a key security best practice. Where public access is required, it should be scoped to specific source IPs or protected by additional layers such as web application firewalls (WAFs) or reverse proxies.... see more
Remediation
Remediation
Modify or Remove Insecure NSG Rule
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLI
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 Cloudaware Framework → 💼 Public and Anonymous Access | 80 | no data |