Best practice rules for Network
- Bastion Host in Use
Ensure that Azure Bastion service is used within your Microsoft Azure cloud account.
- Check for NSG Flow Log Retention Period
Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days.
- Check for Network Security Groups with Port Ranges
Ensure there are no network security groups with range of ports opened to allow incoming traffic.
- Check for Unrestricted CIFS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS).
- Check for Unrestricted DNS Access
Ensure that no network security groups allow unrestricted inbound access on TCP and UDP port 53.
- Check for Unrestricted FTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).
- Check for Unrestricted HTTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 80.
- Check for Unrestricted HTTPS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 443.
- Check for Unrestricted ICMP Access
Ensure that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Check for Unrestricted Inbound TCP or UDP Access on Selected Ports
Ensure that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.
- Check for Unrestricted MS SQL Server Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).
- Check for Unrestricted MSSQL Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1433.
- Check for Unrestricted MongoDB Access
Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.
- Check for Unrestricted MySQL Database Access
Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database).
- Check for Unrestricted NetBIOS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).
- Check for Unrestricted Oracle Database Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database).
- Check for Unrestricted PostgreSQL Database Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).
- Check for Unrestricted RDP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP).
- Check for Unrestricted RPC Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).
- Check for Unrestricted SMTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 25.
- Check for Unrestricted SSH Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH).
- Check for Unrestricted Telnet Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 23.
- Check for Unrestricted UDP Access
Ensure that no network security groups allow unrestricted inbound access on UDP ports.
- Enable Azure Network Watcher
Ensure that Network Watcher is enabled within your Microsoft Azure account subscription.
- Enable DDoS Standard Protection for Virtual Networks
Ensure that DDoS standard protection is enabled for production Azure virtual networks.
- Monitor Network Security Group Configuration Changes
Network security group changes have been detected in your Microsoft Azure cloud account.
- Review Network Interfaces with IP Forwarding Enabled
Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed.