Sunday, 18 November 2018

Azure Policy - Deny inbound RDP from the internet

Introduction

In this article, I’ll do a quick run through of Azure Policy and what you can do with it. Given that we can now deploy infrastructure in Azure quickly and we can provide multiple teams access, the question is how do we control what can be deployed. In this article, we’ll look at how to prevent users opening up inbound RDP ports open from the internet to their Windows VMs.

What is Azure Policy

Azure Policy is a new Azure feature where you can assign policies to your Azure subscriptions or management groups (groups of Azure subscriptions). Using Azure Policy, you can specify what Azure resources should be denied, which should be audited and which should be automatically remediated by deploying an additional ARM template you specify. For example you can block all storage accounts that don’t use encryption.

There are some built in policies however you can create your own using JSON. There are different parts to the JSON policy as code file:

  • Policy definitions: These are policies that will be enforced such as Allowed Resource Types (set which resources can be deployed), Allowed Virtual Machine SKUs (sets which VM SKUs can be deployed).
  • Initiative definitions: These are groups of policies that are aimed at achieving a larger goal. For example, you could have an initiative for reducing costs and then you can have a number of policies under that such as one policy which prevents users deploying large virtual machines and another which prevents them deploying databases which high DTUs. You can then assign the initiative definition to a subscription or management group.

Create Network Security Group for testing

For starters, I’ll go ahead and create a new Network Security Group which allows TCP port 3389 from the internet. For more information on Network Security Groups, see here.

image

image

image


Create Azure Policy Definition to deny inbound RDP

Now that we have created our Network Security Group which we want to block, we will go ahead and create an Azure Policy Definition.

1) Log into your Azure Portal and search for Policy:

image

2) Here you see the Overview pane with a summary of your compliance status. There are no assigned policies so we can see that we’re 100% compliant.

image

3) Create new policy code

The policy is written in JSON and includes a number of fields:

  • displayName - The name that will appear in the Azure Portal
  • description - The description that will appear in the Azure Portal
  • mode: If set to all then the policy applies to all resource types. If set to indexed then the policy applies to only resource types that support tags and location
  • parameters: Here we can set the parameters for our policy. Rather than create a policy for each inbound port you want to block, you can create a single policy which takes a port parameter. See below:


  • if….then: This is the policy condition and action. It works like most if statements - i.e. if the resource meets certain criteria then an action will be taken. The action can be deny, audit and other options. There’s more information here.

The full JSON content is below:


4) Click on Definitions and add a new Policy Definition, add the JSON content to it and click Save:

image

5) Assign the policy. Click the policy definition you just created and then click on Assign.

image

6) Select the subscription or management group you want to assign the policy to and then set the parameters. In this case, we want to block inbound RDP traffic from the internet so you’d need to specify 3389 in the parameters section at the bottom. Click assign when done.

image


Testing Azure Policy:

Let’s test this out. We need to wait a bit of time for the policy to apply and hopefully we should see that the policy is not compliant and we can click through to find the offending resource.

image

image

If you try to create a new NSG rule which allows inbound port 3389 from the internet, it is denied by policy then you get an error like this:

image

You also get blocked if you try to deploy using PowerShell, terraform, the REST API or other methods as they all use the Azure Resource Manager. 

Conclusion

In this article, we went through how you can use Azure Policy to deny the creation of any NSG rule that allows inbound traffic from the internet on specified ports. This is one step forward to achieving good Azure governance.

37 comments:

  1. Thank you.Well it was nice post and very helpful information on
    Azure Online Training Hyderabad

    ReplyDelete
  2. I didn't get why you used below.

    {
    "not": {
    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
    "notIn": "[parameters('deniedPorts')]"
    }
    }



    Can you please help me explain what does the above code does.

    ReplyDelete
  3. What if NSG is not used (not a best practice, but the devops are creative)

    ReplyDelete
  4. Nice Article, Keep it up!
    Get Daily Latest Technology News, Guides, Free Registered Softwares & Tips and Tricks => 8 Easy Steps to Approve AdSense Account

    ReplyDelete

  5. Thanks for Sharing!! it's very interesting Blog...
    Microsoft Azure DevOps Training

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete


  7. The rule seems only work on existing VM. for example, if I edit NSG for a existing VM to add a rule to allow Internet access for port 3389, it will trigger the rule and the request is denied.

    But if I create a new VM and enable port 3389 during the VM creating, the VM can still be created. Its NSG rule will show up later as none-compliance rule, but the desired behavior is the rule can deny the VM be created.

    Any suggestion how we can make sure new VM can not be created with RDP port open ?


    ReplyDelete
    Replies
    1. Looks like it's a known issue: https://github.com/Azure/azure-policy/issues/305

      Delete
    2. Jack, its really nice article. But I have same requirement where i would like to fail the VM creating if the port 3389 is open. Any ideas?

      Delete
  8. I have been following your post for a long time. I always found it very interesting and valuable. keep posting it is really helpful.
    Cloud Migration services

    Aws Cloud Migration services

    Azure Cloud Migration services

    ReplyDelete
  9. We are a part of the success story for many of our customer's successful cloud Migrations.
    Vmware Cloud Migration services

    Database Migration services

    ReplyDelete
  10. Thank you for the informative post about Security challenges in AWS , Found it useful . cloud migration services have now become secured and with no-risk

    Lia Infraservices

    ReplyDelete
  11. I am really impressed with the way of writing of this blog. The author has shared the info in a crisp and short way.
    Cloud Migration services


    Best Cloud Migration Tool

    ReplyDelete
  12. When you feel any kind of body pain, it is best if you go to the doctor for treating it. Sometimes body pain can be the symptom of some serious disease. Sometimes body pain attacks us suddenly because of which you may not able to get the help of the doctor. In those situations, to get quick and effective pain relief, you can take the help of painkillers though they cannot cure your pain. As your painkiller, choose Tramadol 50 mg which is very effective. This painkiller is available in the market with the name of Ultram. To use this painkiller, you can get it easily. Buy Tramadol online and get this painkiller at an affordable price
    Buy Tramadol online

    ReplyDelete
  13. Microsoft Helpline Number | Free Consultant on Microsoft Software | +1-844-728-4045

    Call Now at Microsoft Helpline Number that is totally free for all Microsoft users +1-844-728-4045 who are having problem with their Microsoft Office, Outlook, Windows or any other kinds of Microsoft software’s.

    Microsoft Helpline Number
    Microsoft Support Phone Number
    Microsoft Customer Support Number
    Microsoft Technical Support Number
    Microsoft Office Support Number

    Toll-free:- +1-844-728-4045
    Email – support@wconferenceweb.com
    Website: - https://wconferenceweb.com

    ReplyDelete
  14. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. Technical Action Group

    ReplyDelete
  15. wireless setup steps for Windows

    Go to the HP support webpage 123.hp.com/ljprom15w Setup
    Key the model number of the 123.hp.com/ljprom15w and click Search
    Now, in the next page, Install printer software, tap download
    The download will commence and will be over in some time
    Once the download is over, open the fully downloaded file
    Navigate the on-screen prompts and select the right options
    Eventually, click ‘next’ and the Windows driver download will finish

    To know more on the HP LaserJet Pro M15W Wireless Setup, dial us @ +1-888-214-1820

    ReplyDelete
  16. We are a part of the success story for many of our customer's successful cloud Migrations.
    Technical Action Group

    ReplyDelete
  17. Do you require HP printer setup for your mac operating system? Is your printer driver not suitable for macOS? Then visit the 123.hp.com/setup to get the software and driver for better functioning of your printer. You can also call our expert HP support team for services.

    ReplyDelete
  18. Hi Mark, its really helpful article. But is there any chance that we can have this policy to validate when creating VM from market place. Though this policy works while creating the individual NSG rules, but if the port 3389 is open while creating the VM this doesnt validate.

    ReplyDelete
  19. Interesting blog, here a lot of valuable information is available, it is very useful information.
    SQL Azure Online Training
    Azure SQL Training
    SQL Azure Training

    ReplyDelete
  20. Thank you for the great post and information, Additionally you can buy cheap RDP windows VPS for your works in Just $0.99 only! Cheap RDP

    ReplyDelete
  21. Contact Verizon Wireless Support Number For Billing Problems

    Is wireless down? Having issues with Verizon billing? Cancelled your billing? If you can't figure out what's going on contact Verizon Wireless Support Number and communicate with professionals. Just follow their instructions on how to set up Auto Pay and paperless billing in easy way. They will help you with billing process, bill history, charges and other billing topics.

    ReplyDelete

  22. Nice Blog!!This is good information and really helpful for the people who need information about this.
    Azure DevOps Online Training
    Microsoft Azure DevOps Training Courses

    ReplyDelete
  23. Wow! this is Amazing! Do you know your hidden name meaning ? Click here to find your hidden name meaning

    ReplyDelete