iCompaas Support

Description:

UDP access from the Internet should be evaluated and restricted to prevent unnecessary exposure of network resources. Only required UDP ports should be open, and all other UDP traffic from external sources should be blocked using Network Security Groups.

Rationale:

UDP is a connectionless protocol and is commonly used in attacks such as reflection, spoofing, amplification, and DDoS. Limiting UDP access from the Internet reduces the attack surface and helps prevent unauthorised or malicious traffic from reaching Azure resources.

Impact:

If UDP access from the Internet is not restricted, external hosts may be able to send traffic directly to virtual machines or applications. This can lead to exploitation, service disruption, unauthorized access attempts, or resource exhaustion caused by UDP-based attacks.

Default Value:

By default, Azure Network Security Groups deny inbound traffic unless an allow rule is created. However, manually added allow rules can expose UDP ports to the Internet if not reviewed and restricted.

Pre-requisites:

• Permissions to manage Network Security Groups, such as Owner, Contributor, or Network Contributor.

•  Knowledge of which applications or services require UDP access.

•  Awareness of valid IP ranges or networks that should be allowed if UDP is required.

Test Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Navigate to Network Security Groups.

3. Select the NSG associated with the virtual machine or service.

4. Under Settings, open Inbound security rules.

5. Review inbound rules where the Protocol is UDP.

6. Verify there is no UDP rule allowing access from Any or 0.0.0.0/0.

7. If such a rule exists, follow the implementation steps.

Implementation Steps:

1. Log in to the Azure Portal at https://portal.azure.com.

2. Navigate to Network Security Groups.

3. Select the NSG associated with the resource.

4. Under Settings, open Inbound security rules.

5. Identify any UDP rule allowing access from Any or 0.0.0.0/0.

6. Delete or modify the rule.

7. If UDP is required, allow UDP only from trusted IP addresses and specific destination ports.

8. Save the updated rule.

Backout Plan:

1. Sign in to the Azure Portal.

2. Navigate to Network Security Groups.

3. Select the NSG where changes were made.

4. Under Settings, open Inbound security rules.

5. Edit the UDP rule and restore the previous approved source configuration if required.

6. Save the changes.

References:

• https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

• https://learn.microsoft.com/azure/virtual-network/manage-network-security-group

• https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works