I'm diving into the world of Azure Network Security Groups (NSGs) and I've got a couple of questions. First off, is it ever considered safe to allow the 'Any' protocol for specific ports in inbound rules? And secondly, I'm a bit perplexed about the necessity of having a rule like 65001 that allows outbound traffic to the internet with 'Any' protocol and destination. This seems kind of risky to me. I'd love to hear your thoughts or any examples from your experience! Thanks!
4 Answers
I'm currently facing this issue too! In a large global setup like mine, I focus mainly on restricting the inbound traffic per subnet while allowing outbound traffic to pass through a load balancer into Palo firewalls. I know that in the future I need to tighten outbound rules, but for now, we have it set to 'Any'.
In short, no. Good security practices dictate that you should be explicit in your rules without making things overly complicated.
It's generally seen as bad practice to use 'Any'. The principle of least privilege suggests that you should only allow the exact access a resource needs, nothing more. However, many organizations struggle with this because it can create extra workload to implement properly. That's why you'll often find outbound NSGs configured with 'any-any', balancing between convenience and security.
Typically, each subnet in our environment has its own NSG. By default, we allow outbound traffic while being a bit more restrictive on incoming rules, unless a security review suggests otherwise. This way, we keep that foundational security while allowing internal communication freely. But as always, it should adapt to the organization's needs. If you have hub firewalls, it can complicate NSG management.
Totally agree! Outbound traffic management can be a nightmare since not all application providers list all outgoing ports, plus dynamic ports add to the complexity. It helps to monitor outgoing traffic with your firewall and adjust NSGs as needed.