My client has asked me in our workshop:
What are the default security settings for an Azure VNet?
On an Azure VNet you cannot initially apply things like a Network Security Group, only things like allowed services (via Service endpoints or Private endpoints). So there are no default security settings except those that Microsoft itself always applies (e.g. DDoS Protection).
However, each VNet consists of at least one subnet. Network Security Groups (NSGs) can (and should) then be applied at the subnet level.
Whats a Network Security Group?
An NSG contains security rules in the form of a 5-tuple ACL.
So you define source IP (or IP range), destination IP (or IP range), source port, destination port and protocol (TCP or UPD). Furthermore you define the action – Allow or Deny.
The order is determined by priority. Higher priority (lower number) means that the rule will beat a rule with lower priority.
What are the default rules?
For outgoing connections you’ll find these rules:
- Allow any outgoing connections to other resources in the same VNet
- Allow any outgoing connections to the Internet
- Everything else outgoing? Deny
For incoming connections you’ll find these rules:
- Allow any incoming connections from other resources in the same VNet
- Allow any connections from Azure Load Balancer probes
- Everything else incoming? Deny
“Unwritten rule” – Port 25
Port 25 (used for sending Emails over SMTP) is blocked by default if you’re not on an EA contract or your agreement was made after November 2017. If you want to send Mails from your VMs over Port 25, you’ll have to open a support case at Microsoft.
Why does this rule exist? I think that Microsoft wants to prevent spambots from running in Azure on a large scale and messing up the entire IP address space.
Should I adjust these default rules?
It depends (of course). For example, if you don’t want your resources in this VNet to communicate directly with the Internet, you have to adapt this rule.
Very often a rule is also set up that opens the RDP port for Windows or SSH for Linux. For this you should rather use modern methods like Azure Bastion or Just-in-time Access.