Verify that HTTP(S) access from the Internet is evaluated and restricted
Why this matters
Inbound access to ports 80 (HTTP) and 443 (HTTPS) from the Internet significantly increases attack surface. Misconfigured NSG rules exposing these ports may allow brute-force, scanning, or exploitation attempts. Restricting these ports to known IPs or internal networks helps prevent unauthorized access and lateral movement within the Azure environment.
What this check does
This Auto Check verifies that no inbound NSG rules allow unrestricted public access to TCP ports 80 or 443 from the Internet.
Check Logic:
IF any NSG rule EXISTS where:
direction = Inbound
AND
access = Allow
AND
protocol = TCP
AND
destinationPortRange = 80
, 443
, *
, or includes 80/443 in a range
AND
sourceAddressPrefix = *
, 0.0.0.0/0
, /0
, Internet
, or Any
THEN FAIL
ELSE PASS
How to fix it
- Remediate via Azure Portal
- Go to Virtual machines
- For each VM, open the Networking blade
- Under Inbound port rules, identify any rule with:
- Port = 80 or 443, or a port range that includes 80/443
- Protocol = TCP or Any
- Source = Any, 0.0.0.0/0, or Internet
- Action = Allow
- Delete or restrict these rules to known IP ranges
Remediate via Azure CLI
List all NSGs:
az network nsg list --subscription <subscription-id> --output table
For each NSG, list risky rules:
az network nsg rule list --resource-group <resource-group> --nsg-name <nsg-name> --query "[?contains(destinationPortRange, '80') || contains(destinationPortRange, '443')]"
Delete the exposed rule:
az network nsg rule delete --resource-group <resource-group> --nsg-name <nsg-name> --name <rule-name>
Exceptions
None. HTTP(S) from the Internet must always be evaluated and explicitly restricted.
Further resources
- https://docs.microsoft.com/en-us/azure/expressroute/
- https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
- https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries