Verify that HTTP(S) access from the Internet is evaluated and restricted

Framework Reference: A.8.23 Integration: Azure – Network Security Groups (NSGs)

Why this matters
Inbound access to ports 80 (HTTP) and 443 (HTTPS) from the Internet significantly increases attack surface. Misconfigured NSG rules exposing these ports may allow brute-force, scanning, or exploitation attempts. Restricting these ports to known IPs or internal networks helps prevent unauthorized access and lateral movement within the Azure environment.


What this check does
This Auto Check verifies that no inbound NSG rules allow unrestricted public access to TCP ports 80 or 443 from the Internet.

Check Logic:
IF any NSG rule EXISTS where:

direction = Inbound
AND

access = Allow
AND

protocol = TCP
AND

destinationPortRange = 80, 443, *, or includes 80/443 in a range
AND

sourceAddressPrefix = *, 0.0.0.0/0, /0, Internet, or Any
THEN FAIL
ELSE PASS


How to fix it

  1. Remediate via Azure Portal
  2. Go to Virtual machines
  3. For each VM, open the Networking blade
  4. Under Inbound port rules, identify any rule with:
  5. Port = 80 or 443, or a port range that includes 80/443
  6. Protocol = TCP or Any
  7. Source = Any, 0.0.0.0/0, or Internet
  8. Action = Allow
  9. Delete or restrict these rules to known IP ranges

Remediate via Azure CLI

List all NSGs:
az network nsg list --subscription <subscription-id> --output table

For each NSG, list risky rules:
az network nsg rule list --resource-group <resource-group> --nsg-name <nsg-name> --query "[?contains(destinationPortRange, '80') || contains(destinationPortRange, '443')]"

Delete the exposed rule:
az network nsg rule delete --resource-group <resource-group> --nsg-name <nsg-name> --name <rule-name>


Exceptions
None. HTTP(S) from the Internet must always be evaluated and explicitly restricted.


Further resources

Was this article helpful?