During VM creation, why is the RDP open to Internet rule bypassing NSG policy to deny inbound rule for 3389 for Source Addresses outside of our whitelist?

NN 0

3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP option is checked, Azure goes ahead and creates an any any inbound allow rule for 3389. How do I go about denying the VM creation when a user tries to apply this rule? The current policy applies to: "field": "type","in": ["Microsoft.Network/networkSecurityGroups/securityRules","Microsoft.Compute/virtualMachines"]

v-vvellanki-MSFT 4,370 Reputation points Microsoft Vendor

2024-01-24T04:17:30.4966667+00:00

Hi @NN , Thanks for contacting Microsoft Q&A platform.
To enforce a policy that prevents the creation of an "any any" inbound allow rule for RDP (3389) when deploying a VM in Azure, you can use Azure Policy in combination with the Microsoft.Network/networkSecurityGroups/securityRules and Microsoft.Compute/virtualMachines resource types. You need to create a custom Azure Policy definition to deny the creation of a security rule that allows traffic on port 3389 with a source address prefix of 'Any'.

Hope this helps you.

Share via

During VM creation, why is the RDP open to Internet rule bypassing NSG policy to deny inbound rule for 3389 for Source Addresses outside of our whitelist?