Other Articles
- SQL Database – Enable Database Encryption
- SQL Server – Enable SQL Defender
- SQL Database – Monitor CPU Utilization
- SQL Database – Monitor IO Utilization
- SQL Database – Monitor Memory Utilization
- SQL Database – Protect From Direct Internet Traffic
- Storage Account – Enable Storage Encryption
- Storage Account – Disable Blob Public Access
- Storage Account – Disable Cross-Tenant Replication
- Storage Account – Disable Public Network Access
- Storage Account – Enable Microsoft Defender
- Storage Account – Enable Secure Transfer
- Storage Account – Enforce Minimum TLS Version
- Storage Account – Enforce Network Access Rule
- Storage Account – Enforce Private Endpoint Access
- User – Enable Azure MFA
- App Service – Disable Remote Debugging
- App Service – Enable Defender
- App Service – Enable Entra ID Registration
- App Service – Enable HTTP2
- App Service – Enforce Latest TLS Version
- App Service – Enforce Secure FTPS State
- App Service – Monitor Server Errors
- App Service – Redirect HTTP to HTTPS
- Cosmos DB – Enable Backup
- Cosmos DB – Enable Microsoft Defender
- Cosmos DB – Monitor Latency
- Cosmos DB – Ensure Private Connectivity
- Cosmos DB for PostgreSQL – Monitor CPU Utilization
- Cosmos DB for PostgreSQL – Monitor IO Utilization
- Cosmos DB for PostgreSQL – Monitor Memory Utilization
- Cosmos DB for PostgreSQL – Protect From Direct Internet Traffic
- Cosmos DB – Protect From Direct Internet Traffic
- Cosmos DB – Restrict Firewall Network Access
- Virtual Machine – Enable Defender
- Key Vault – Enable Defender
- Key Vault – Ensure Vault Recoverable
- Key Vault – Require Private Endpoint Access
- MySQL Flexible Server – Enable Audit Log Events Connection
- MySQL Flexible Server – Enable Audit Logs
- MySQL Flexible Server – Enforce Minimum TLS Version
- PostgreSQL Flexible Server – Configure Log File Retention
- PostgreSQL Flexible Server – Enable Connection Logging
- PostgreSQL Flexible Server – Enable Connection Throttling
- PostgreSQL Flexible Server – Enable Disconnection Logging
- PostgreSQL Flexible Server – Enable Log Checkpoints
- Network Security Group – Ensure Flow Logs Captured
- General – Enable Auto Provisioning Log Analytics
- General – Enable Security Notifications
- General – Set Additional Email Address
Virtual Machine – Protect From Direct Internet Traffic
This check ensures that Azure Virtual Machines are not directly exposed to the public internet. Virtual Machines should not have unrestricted public IP access and must be protected using Network Security Groups (NSGs), Azure Bastion, VPN, or private networking controls.
Check Details
- Resource: Azure Virtual Machine
- Check: Ensure Protection From Direct Internet Traffic
- Risk: Virtual Machines exposed directly to the internet through a public IP address and open inbound ports (such as SSH 22 or RDP 3389) are vulnerable to brute-force attacks, port scanning, credential theft, and unauthorized remote access.
Remediation via Azure Portal
-
Log in to the Azure Portal.
-
Navigate to Virtual Machines and select the affected VM.
-
In the left-hand menu, select Networking.
- Review whether a Public IP address is associated with the VM.
-
If a Public IP is attached:
- Disassociate or remove the Public IP address.
- Ensure inbound rules do not allow 0.0.0.0/0 access to management ports.
- Use Azure Bastion or VPN for secure remote access.
- Disassociate or remove the Public IP address.
- Click Save after applying the necessary configuration changes.
Remediation via Azure CLI
-
Open Azure Cloud Shell or a local terminal with Azure CLI installed.
-
Check if the Virtual Machine has a Public IP associated:
az vm list-ip-addresses \ --resource-group <resource-group> \ --name <vm-name>
-
Remove the Public IP address from the VM network interface:
az network nic ip-config update \ --resource-group <resource-group> \ --nic-name <nic-name> \ --name ipconfig1 \ --remove publicIpAddress
-
Verify that the Public IP is removed:
az vm list-ip-addresses \ --resource-group <resource-group> \ --name <vm-name> \ --query "[].virtualMachine.network.publicIpAddresses"
Replace <resource-group>,
<vm-name>, and
<nic-name> with your actual values.