no-public-ingress
Default Severity: critical
Explanation
Network security rules should not use very broad subnets.
Where possible, segments should be broken into smaller subnets.
Possible Impact
The port is exposed for ingress from the internet
Suggested Resolution
Set a more restrictive cidr range
Insecure Example
The following example will fail the azure-network-no-public-ingress check.
resource "azurerm_network_security_rule" "bad_example" {
direction = "Inbound"
source_address_prefix = "0.0.0.0/0"
access = "Allow"
}
Secure Example
The following example will pass the azure-network-no-public-ingress check.
resource "azurerm_network_security_rule" "good_example" {
direction = "Inbound"
destination_address_prefix = "10.0.0.0/16"
access = "Allow"
}