Ensure that MSQL (TCP:4333) is restricted from the Internet

Disable MSQL (TCP:4333) access on network security groups from the Internet.

Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.41
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=4333 and destinationPortTo>=4333 ] and protocol in('TCP', 'All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ] ]

REMEDIATION

From Portal

  1. Navigate to the 'All services'.
  2. Navigate to the Networking, and select 'Network security groups'.
  3. Select the Network security group to be modified.
  4. Under Settings, select 'Inbound security rules'.
  5. Select the rule to be modified and edit it to allow only specific IP addresses or protocols.

From TF
Make sure the below security rule doesn't exists in azurerm_network_security_group

resource "azurerm_network_security_group" "test" {
	security_rule {
		-  destination_port_ranges= ["4333",]
		-  protocol = "Tcp"
		-  access = "Allow"
		-  source_port_range = "*"
	}
}

From Command Line
Use the below command to update exisiting Security rule to to allow only specific IP addresses
Run

az network nsg rule update --name Name --nsg-name NETWORKSECURITYGROUP --resource-group RESOURCEGROUP --source-address-prefixes IPADDRESS

References

  1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
  3. https://learn.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update

Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset