Description:

Setting network access rules to Deny-by-default ensures that only explicitly allowed traffic is permitted to access Azure resources. This configuration helps in minimizing the attack surface by blocking all inbound and outbound traffic except for the traffic that is specifically authorized. The Deny-by-default approach is critical for securing services such as virtual machines, databases, and web applications in Azure.

Rationale:

Deny-by-default network access rules provide a strong security posture by ensuring that resources are not exposed to unauthorized access. It is a best practice in the defense-in-depth strategy, limiting access until rules are explicitly defined. This approach aligns with the principle of least privilege and ensures that only authorized network traffic is allowed into or out of the network.

Impact:

By enforcing Deny-by-default rules, all traffic will be denied unless explicitly allowed by security policies. While this significantly improves security by preventing unauthorized access, it may require additional configuration to allow legitimate traffic, such as connecting from trusted internal networks, VPNs, or other Azure services. Ensuring proper access controls is critical to avoid disruptions in service.

Default Value:

Azure network access rules are generally set to Allow-by-default unless manually configured otherwise. The Deny-by-default configuration must be explicitly applied.

Pre-requisites:

  • Azure account.

  • Azure resources (e.g., Virtual Networks, Network Security Groups, and Firewalls).

  • A user with necessary permissions to configure network security settings (e.g., Network Admin, Owner).

Audit:

  1. Sign in to the Azure portal as a Network Admin, Owner, or Contributor.

  2. Navigate to the Network Security Group (NSG) or Firewall settings of the relevant Azure resource (e.g., virtual machines, subnets).

  3. Review the Network Security Rules and ensure that the default setting is Deny-by-default for both inbound and outbound traffic.

Implementation Steps:

  1. Sign in to the Azure portal with Network Admin, Owner, or Contributor privileges.

  2. Navigate to the Network Security Group (NSG) or Firewall that applies to the target Azure resources (e.g., Virtual Machine, Storage Account).

  3. In Network Security Group (NSG):

    • Go to Inbound security rules and Outbound security rules.

    • Set the default action to Deny if not already configured.

    • Add explicit allow rules for required services or IP addresses.

  4. In Azure Firewall:

    • Navigate to Firewall policy settings.

    • Under Rule Collection, configure the rule action to Deny by default.

    • Add specific Allow rules for trusted sources or applications.

  5. Apply the changes to ensure that traffic is denied by default and only explicit rules allow traffic where necessary.

Backout Plan:

  1. Sign in to the Azure portal as a Network Admin, Owner, or Contributor.

  2. Navigate to the Network Security Group (NSG) or Firewall settings.

  3. In NSG, modify the Inbound and Outbound security rules to set the default action to Allow.

  4. In Azure Firewall, change the rule action from Deny to Allow by default.

  5. Save and apply the changes to revert to the previous network access configuration.

References: