Virtual Network security groups should not permit ingress from ‘’ to TCP port 22 (SSH)


The potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

Remediation Steps

Azure Portal

  • Navigate to Virtual Machines and select the VM that has the problem.

  • In the left navigation, select Networking.

  • Select the Inbound port rules tab and delete any inbound rules that permit ingress from ‘’ to TCP port 22 (SSH).

Azure CLI

  • Remove the rule(s) that permit ingress from ‘’ to TCP port 22 (SSH):

    • az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule


Example Configuration

resource "azurerm_network_security_rule" "example" {
  source_address_prefix   = ""
  destination_port_range  = "23-1024"
  # other required fields here