Network security groups should not permit ingress from the internet to UDP ports¶
Broadly exposing UDP services over the internet enables malicious actors to use DDoS amplification techniques to reflect spoofed UDP traffic from Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as an amplification source for disrupting services of other machines on a Virtual Network or even networked devices outside of Azure.
Navigate to Virtual Machines and select a VM.
Select the Inbound port rules tab and delete any inbound rules that permit ingress from a source of Any or Internet to a UDP port.
To remove the rule(s) that permit ingress from the internet to a UDP port:
az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule