NSG Misconfigurations

Description

Network Security Groups (NSGs) with overly permissive inbound rules (e.g., Any/*, 0.0.0.0/0, Internet) expose services to the internet and bypass intended segmentation. Overly permissive outbound rules enable exfiltration. Misordered priorities or duplicate rules can unintentionally allow traffic.

Examples

List Wide Rules

az network nsg list --query "[].{name:name,rules:securityRules[?access=='Allow' && (sourceAddressPrefix=='*' || sourceAddressPrefix=='0.0.0.0/0')]}"
az network nsg rule list -g <rg> --nsg-name <nsg> -o table
az network watcher test-ip-flow -g <rg> --direction Inbound --protocol TCP --local <target-ip>:3389 --remote-ip-address 1.2.3.4

Remediation

Restrict inbound to required sources; prefer service endpoints/private endpoints.
Use Azure Firewall or NVA for additional filtering; consider Verified Access or Azure Bastion for admin access.
Periodically audit NSGs and enforce via Azure Policy; document intended rules and priorities; restrict egress to required destinations.

Haxoris Wiki

NSG Misconfigurations

Description

Examples

List Wide Rules

Remediation