Verify that SSH access from the Internet is evaluated and restricted
Why this matters
SSH (port 22) is a frequent target for brute-force and credential-stuffing attacks. If unrestricted inbound access to port 22 is allowed from the Internet, attackers may gain shell access to virtual machines. From there, they could move laterally across the network or exploit other services. Restricting SSH to trusted IPs or internal networks is critical to minimizing external attack surface and maintaining secure access.
What this check does
This Auto Check verifies that no Network Security Group (NSG) rule allows unrestricted inbound access to TCP port 22 (SSH) from the Internet.
Check Logic:
Passes if:
- No NSG rule allows inbound access to port 22 (or range including 22)
AND - Source is not set to *, 0.0.0.0/0, /0, Internet, or Any
Fails if:
- Any NSG rule allows inbound TCP traffic on port 22
AND - Source is publicly routable (e.g. *, 0.0.0.0/0, Internet)
How to fix it
Azure Portal:
- Go to "Virtual machines"
- For each VM, open the "Networking" blade
- Under "Inbound port rules", locate rules with:
- Port = 22 or a range including 22
- Protocol = TCP or Any
- Source = Any, 0.0.0.0/0, or Internet
- Action = Allow
- Delete or restrict the rule to a known IP address or private network
Azure CLI:
az network nsg list --subscription <subscription-id> --output table
az network nsg rule list \
--resource-group <resource-group> \
--nsg-name <nsg-name> \
--query "[?contains(destinationPortRange, '22')]"
az network nsg rule delete \
--resource-group <resource-group> \
--nsg-name <nsg-name> \
--name <rule-name>
PowerShell:
Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group> | Get-AzNetworkSecurityRuleConfig | Where-Object {
$_.Direction -eq "Inbound" -and
$_.Access -eq "Allow" -and
$_.DestinationPortRange -eq "22" -and
($_.SourceAddressPrefix -eq "*" -or $_.SourceAddressPrefix -eq "0.0.0.0/0" -or $_.SourceAddressPrefix -eq "Internet")
}
Remove-AzNetworkSecurityRuleConfig `
-Name <rule-name> `
-NetworkSecurityGroup <nsg-object>
Exceptions
None. SSH must never be exposed to the open Internet without explicit justification and tight controls.
- Further resources
https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries
https://docs.microsoft.com/en-us/azure/expressroute/
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal