Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled


When this setting is enabled, it recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. Network security groups that are configured for a subnet are inherited by all virtual machine network interfaces unless otherwise specified. In addition to checking that a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic.

Portal Remediation Steps

  • Navigate to Azure Policy.

  • Select the subscription and click Edit assignment.

  • Select Parameters.

  • In Network Security Groups on the subnet level should be enabled, select AuditIfNotExists.

  • Click Review + save > save.

CLI Remediation Steps

  • Remediation is not possible via the CLI.