Security Group should restrict HTTP(S) access from the internet

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

It is important to regularly assess network security groups for potential port misconfigurations. Specifically, ports and protocols that are exposed to the internet should be reviewed and restricted unless explicitly necessary and properly configured. This is crucial to mitigate the risk of attackers gaining unauthorized access to Azure resources and potentially compromising other resources within the Azure tenant.

Remediation

If HTTP(S) is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.

To reconfigure HTTP(S) access in Azure Security Groups, follow these steps:

  1. Log in to the Azure portal at https://portal.azure.com and navigate to the Azure Security Group that contains the virtual machine(s) you want to modify.

  2. In the Security Group settings, locate the inbound or inbound security rules section depending on your desired configuration.

  3. Look for the specific rule that allows HTTP(S) access from the internet. This is usually denoted by the source IP set to “Internet”, “Any” or “0.0.0.0/0”.

  4. Edit the rule and update the source IP to a more restricted range or a specific IP address that is allowed to initiate HTTP(S) connections. Alternatively, you can remove the rule altogether if HTTP(S) access is not required from the internet.

  5. Save the changes to the Security Group.

For internal access to relevant resources, consider configuring an encrypted network tunnel using one of the following options:

  1. ExpressRoute: To establish a private connection between your on-premises network and Azure, you can utilize ExpressRoute. This provides a dedicated and reliable connection with higher security and better network performance. Read about ExpressRoute to learn more.

  2. Site-to-site VPN: You can set up a site-to-site VPN to connect your on-premises network to Azure securely. This creates an encrypted tunnel over the internet, allowing you to access Azure resources securely as if they were on the same network. For more information, read create a site-to-site VPN.

  3. Point-to-site VPN: This option enables secure connections between individual devices and Azure resources. Point-to-site VPN allows remote clients to connect to Azure securely over the internet. To learn more, read configuring a point-to-site VPN.