Hey everyone! I'm diving into Azure Network Security Groups (NSGs) and I've got some questions about setting rules properly. Is it a no-go to use 'Any' protocol in inbound rules for specific ports? Also, why do we sometimes see rules like '65001 AllowinternetOutbound Any Any Any Destination="Internet"'? That seems a bit risky to me. I'd love to hear your thoughts and any real-life examples you might have. Thanks!
4 Answers
Allowing 'Any' protocol is generally a bad idea. The principle of least privilege suggests that rules should be specific to grant just enough access for what’s necessary. While it's tempting to keep things simple, balancing security with convenience is tricky. Many organizations end up using more permissive rules for outbound traffic, which can lead to vulnerabilities.
In our experience, each subnet typically has its own NSG. By default, outbound rules are open, while inbound rules tend to be more controlled. This setup allows internal communication while still providing room to implement stricter security if needed. It's all about tailoring it to your organization’s specific needs.
Definitely avoid using 'Any' when you can. Good practice is all about being explicit with rules while not making management overly difficult. It's important to have a clear security strategy in place.
I’m dealing with this too, especially in a large environment. My focus has been on port restrictions for inbound traffic by creating individual NSGs per subnet, and then routing outbound through a load balancer to firewalls. For now, I’ve had to allow 'Any' for outbound, but it's certainly on my agenda to tighten those rules later on.
I totally get that! Outbound rules can get complicated because not all apps document their necessary outgoing ports. Keeping an eye on outgoing traffic and adjusting NSGs accordingly can really help.