Forbid public administrative access to Azure VMs via Azure Policy
I was looking for a way to prevent users from granting public access to Azure VMs on port 22/3389. I could not find any so I ended up creating my own from bits and pieces I found. There used to be built-in policies for this, but they have been deprecated.
I found this strange until I realized that they do not work ??
?The problem is that NSG rules can be added in two ways. Either directly or as parameters to the NSG.
?I have created two policies per port. I am sure that this can be done smarter, but I hate Azure Policy as much as I hate ARM templates. Humans are not meant to program in JSON ?
?It is a shame that Microsoft does not help more with templates for things like this.
?They are quick to point out that you should not have public access on port 22/3389 so why not do something about it?
?Microsoft Defender for Cloud has a built-in policy for detecting open administrative ports, which is nice. But if you have hundreds of projects and hundreds of developers, it takes much effort to contact them and get them to change their NSGs.
?Better to be proactive and deny them the opportunity. If anybody is interested the policies can be found here: