Skip to main content

Remediation

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

PowerShell​

  1. Delete the rule:

    $nsg = Get-AzNetworkSecurityGroup `
        -ResourceGroupName "{{resource-group-name}}" `
        -Name "{{nsg-name}}"

    Remove-AzNetworkSecurityRuleConfig `
        -Name "{{rule-name}}" `
        -NetworkSecurityGroup $nsg

    Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

    First, retrieve the NSG object: $nsg. Then use $nsg object in Remove-AzNetworkSecurityRuleConfig and Set-AzNetworkSecurityGroup.

  2. Restrict the rule:

    $nsg = Get-AzNetworkSecurityGroup `
        -ResourceGroupName "{{resource-group-name}}" `
        -Name "{{nsg-name}}"

    $rule = $nsg.SecurityRules | Where-Object { $_.Name -eq "{{rule-name}}" }

    $rule.SourceAddressPrefix = "{{trusted-cidr}}" # Replace with your source IP/CIDR

    Set-AzNetworkSecurityRuleConfig `
        -NetworkSecurityGroup $nsg `
        -Name $rule.Name `
        -Direction $rule.Direction `
        -Priority $rule.Priority `
        -Access $rule.Access `
        -Protocol $rule.Protocol `
        -SourceAddressPrefix $rule.SourceAddressPrefix `
        -SourcePortRange $rule.SourcePortRange `
        -DestinationAddressPrefix $rule.DestinationAddressPrefix `
        -DestinationPortRange $rule.DestinationPortRange

    Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

Note: Always validate changes through the Azure portal, CLI, or PowerShell to ensure that unrestricted access is effectively removed and that intended functionality remains intact.