AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Management port access from the Internet should be blocked

Azure Landing Zones (ALZ) Policy definition

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-MgmtPorts-From-Internet

Deploy policy Deny-MgmtPorts-From-Internet (2.2.0) to Azure

Display name

Management port access from the Internet should be blocked

Deny-MgmtPorts-From-Internet

Version

2.2.0
Details on versioning

Category

Network

Description

This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.

Cloud environments

AzureChinaCloud
AzureCloud
AzureUSGovernment

Mode

All

Type

Custom Azure Landing Zones (ALZ)

Preview

False

Deprecated

False

Replaces Policy

This ALZ Policy definition replaces [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
More information on Azure Landing Zones deprecated Policy definitions

Effect

Default
Deny
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (13)

Alias	Namespace	ResourceType	Path	PathIsDefault	Modifiable
Microsoft.Network/networkSecurityGroups/securityRules/access	Microsoft.Network	networkSecurityGroups/securityRules	properties.access	True	True
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange	Microsoft.Network	networkSecurityGroups/securityRules	properties.destinationPortRange	True	True
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]	Microsoft.Network	networkSecurityGroups/securityRules	properties.destinationPortRanges[*]	True	True
Microsoft.Network/networkSecurityGroups/securityRules/direction	Microsoft.Network	networkSecurityGroups/securityRules	properties.direction	True	True
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix	Microsoft.Network	networkSecurityGroups/securityRules	properties.sourceAddressPrefix	True	True
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]	Microsoft.Network	networkSecurityGroups/securityRules	properties.sourceAddressPrefixes[*]	True	True
Microsoft.Network/networkSecurityGroups/securityRules[*]	Microsoft.Network	networkSecurityGroups	properties.securityRules[*]	True	True
Microsoft.Network/networkSecurityGroups/securityRules[*].access	Microsoft.Network	networkSecurityGroups	properties.securityRules[*].properties.access	True	True
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange	Microsoft.Network	networkSecurityGroups	properties.securityRules[*].properties.destinationPortRange	True	True
Microsoft.Network/networkSecurityGroups/securityRules[].destinationPortRanges[]	Microsoft.Network	networkSecurityGroups	properties.securityRules[].properties.destinationPortRanges[]	True	True
Microsoft.Network/networkSecurityGroups/securityRules[*].direction	Microsoft.Network	networkSecurityGroups	properties.securityRules[*].properties.direction	True	True
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix	Microsoft.Network	networkSecurityGroups	properties.securityRules[*].properties.sourceAddressPrefix	True	True
Microsoft.Network/networkSecurityGroups/securityRules[].sourceAddressPrefixes[]	Microsoft.Network	networkSecurityGroups	properties.securityRules[].properties.sourceAddressPrefixes[]	True	True

Rule resource types

IF (2)
Microsoft.Network/networkSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State
[Deprecated] Enforce recommended guardrails for Network and Networking services	Enforce-Guardrails-Network	Network	Deprecated
Enforce recommended guardrails for Network and Networking services	Enforce-Guardrails-Network_20250326	Network	GA

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2025-05-14 18:52:07	change	Minor (2.1.1 > 2.2.0)
2024-01-31 19:57:15	change	Patch (2.1.0 > 2.1.1)
2023-07-07 17:55:09	change	Minor (2.0.0 > 2.1.0)
2023-05-17 17:17:42	change	Major (1.0.0 > 2.0.0)
2023-04-06 06:17:42	add	Deny-MgmtPorts-From-Internet Replaces Policy: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)

JSON compare

compare mode: version left: version right:

JSON

EPAC