Skip to content

no-public-egress

Explanation

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.

Possible Impact

The port is exposed for egress to the internet

Suggested Resolution

Set a more restrictive cidr range

Insecure Example

The following example will fail the azure-network-no-public-egress check.

resource "azurerm_network_security_rule" "bad_example" {
    direction = "Outbound"
    destination_address_prefix = "0.0.0.0/0"
    access = "Allow"
}

Secure Example

The following example will pass the azure-network-no-public-egress check.

resource "azurerm_network_security_rule" "good_example" {
    direction = "Outbound"
    destination_address_prefix = "10.0.0.0/16"
    access = "Allow"
}