During VM creation, why is the RDP open to Internet rule bypassing NSG policy to deny inbound rule for 3389 for Source Addresses outside of our whitelist?
NN
0
Reputation points
3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP option is checked, Azure goes ahead and creates an any any inbound allow rule for 3389. How do I go about denying the VM creation when a user tries to apply this rule? The current policy applies to: "field": "type","in": ["Microsoft.Network/networkSecurityGroups/securityRules","Microsoft.Compute/virtualMachines"]