🛡️ Azure VM Scale Set Instance allows public UDP access🟢

• Contextual name: 🛡️ Instance allows public UDP access🟢
• ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-udp-traffic
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure VM Scale Set Instance
  • 🔌 Azure Network Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Rationale

The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

Audit

This policy flagged an Azure VM Scale Set Instance as INCOMPLIANT if it is associated with a Network Interface that is connected to an NSG containing at least one Inbound Security Rule that meets all of the following conditions:

• Direction is Inbound.
• Access is Allow.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

• If the rule is not required: Remove the rule entirely.

• If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI

1. Delete the rule:

   az network nsg rule delete \
     --resource-group {{resource-group-name}} \
     --nsg-name {{nsg-name}} \
     --name {{rule-name}}

2. Restrict the rule:

   az network nsg rule update \
       --resource-group {{resource-group-name}} \
       --nsg-name {{nsg-name}} \
       --name {{rule-name}} \
       --source-address-prefixes {{trusted-cidr}} 

   Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Public and Anonymous Access			101		no data