📝 Azure Network Security Group allows public UDP access 🟢

Contextual name: 📝 Security Group allows public UDP access 🟢
ID: /ce/ca/azure/virtual-network/security-group-allows-unrestricted-udp-traffic
Located in: 📁 Azure Virtual Network

Flags

Our Metadata

Policy Type: COMPLIANCE_POLICY
Policy Category:
- SECURITY

Logic

🧠 prod.logic.yaml 🟢
- 📗 Azure Network Security Group
- 🔌 Azure Network Security Group Rule - object.extracts.yaml
- 🧪 test-data.json

Description

Description

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Rationale

The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

Audit

This policy flagged an Azure Network Security Group as INCOMPLIANT if it contains at least one Inbound Security Rule that meets all of the following conditions:

Direction is Inbound.

Access is Allow.

Protocol is Udp.

Source Address Prefix is either Internet, * 0.0.0.0, /0, or Any.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

If the rule is not required: Remove the rule entirely.

If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI
Delete the rule:
az network nsg rule delete \
  --resource-group {{resource-group-name}} \
  --nsg-name {{nsg-name}} \
  --name {{rule-name}}
Restrict the rule:
az network nsg rule update \
    --resource-group {{resource-group-name}} \
    --nsg-name {{nsg-name}} \
    --name {{rule-name}} \
    --source-address-prefixes {{trusted-cidr}} 
Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v3.0.0 → 💼 7.3 Ensure that UDP access from the Internet is evaluated and restricted (Automated)			1
💼 CIS Azure v4.0.0 → 💼 8.3 Ensure that UDP access from the Internet is evaluated and restricted (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			76

Flags​

Our Metadata​

Logic​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Modify or Remove Insecure NSG Rule​

Azure CLI​

policy.yaml​

Linked Framework Sections​

Flags

Our Metadata

Logic

Description

Description

Rationale

Audit

Remediation

Remediation

Modify or Remove Insecure NSG Rule

Azure CLI

policy.yaml

Linked Framework Sections