Network security groups should not permit ingress from the internet to UDP ports


Broadly exposing UDP services over the internet enables malicious actors to use DDoS amplification techniques to reflect spoofed UDP traffic from Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as an amplification source for disrupting services of other machines on a Virtual Network or even networked devices outside of Azure.

Remediation Steps

Azure Portal

  • Navigate to Virtual Machines and select a VM.

  • Select Networking.

  • Select the Inbound port rules tab and delete any inbound rules that permit ingress from a source of Any or Internet to a UDP port.

Azure CLI

  • To remove the rule(s) that permit ingress from the internet to a UDP port:

    • az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule