I’ve walked into far too many Azure environments where the perimeter is a sieve. The most common culprit? Missing or misconfigured Network Security Groups. This isn’t advanced rocket science, folks; it’s foundational.
Every single subnet and NIC you have in Azure needs an NSG attached. Period. It’s your first line of defense, your basic traffic cop. And the default rule? Deny everything inbound from the internet. If you’re not doing this, you’re essentially leaving your front door wide open.
This isn’t just about “best practice.” This is about preventing basic attacks that exploit open ports. SQL injection, RDP brute-force, web server exploits – if an NSG isn’t there, or it’s too permissive, you’re a sitting duck.
The fix is straightforward: In Azure Portal, navigate to your Subnet or Network Interface, then select “Network security group” and associate one. Ensure its inbound rules explicitly deny traffic from “Internet” (0.0.0.0/0) unless absolutely necessary and finely tuned.
Stop leaving your assets exposed. Go check your NSG coverage today.
The fix
# List NSGs and rules\naz network nsg list --query \"[].{Name:name, RG:resourceGroup}\" --output table\n# Check for open rules\naz network nsg rule list --nsg-name <nsg_name> --resource-group\
Reference: CIS Azure Foundations Benchmark 6.1