Ensure that MSQL (TCP:4333) is restricted from the Internet
Disable MSQL (TCP:4333) access on network security groups from the Internet.
Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.41
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=4333 and destinationPortTo>=4333 ] and protocol in('TCP', 'All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ] ]
REMEDIATION
From Portal
- Navigate to the 'All services'.
- Navigate to the Networking, and select 'Network security groups'.
- Select the Network security group to be modified.
- Under Settings, select 'Inbound security rules'.
- Select the rule to be modified and edit it to allow only specific IP addresses or protocols.
From TF
Make sure the below security rule doesn't exists in azurerm_network_security_group
resource "azurerm_network_security_group" "test" {
security_rule {
- destination_port_ranges= ["4333",]
- protocol = "Tcp"
- access = "Allow"
- source_port_range = "*"
}
}
From Command Line
Use the below command to update exisiting Security rule to to allow only specific IP addresses
Run
az network nsg rule update --name Name --nsg-name NETWORKSECURITYGROUP --resource-group RESOURCEGROUP --source-address-prefixes IPADDRESS
References
- https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
- https://learn.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update
Network security group
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated about 1 year ago