Detections
Analytics

Ensure use of NSG with Azure Virtual Machine Scale Set

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. The first step in doing so is to create a Network Security Group and apply it to the appropriate resources.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Virtual Machine Scale Sets.
  2. Select the Virtual Machine Scale Set you wish to edit.
  3. Under Settings choose Networking.
  4. Configure inbound and outbound rules as needed.

In Terraform -

  1. For each azurerm_virtual_machine_scale_set resource, create an azurerm_network_security_group resource.
  2. Set the network_profile.network_security_group_id to the ID of the network security group.

References:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_scale_set#network_security_group_id
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group

Policy Details

Rule Reference ID: AC_AZURE_0358
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_virtual_machine_scale_set
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks