CRITICAL
Source
Trivy
ID
AVD-AZU-0047

An inbound network security rule allows traffic from /0.

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.

Impact

The port is exposed for ingress from the internet

Follow the appropriate remediation steps below to resolve the issue.

Set a more restrictive cidr range

1
2
3
4
5
 resource "azurerm_network_security_rule" "good_example" {
 	direction = "Inbound"
 	destination_address_prefix = "10.0.0.0/16"
 	access = "Allow"
 }
1
2
3
4
5
6
7
8
resource "azurerm_network_security_rule" "allow_lb_prober" {
  direction                                  = "Inbound"
  access                                     = "Allow"
  protocol                                   = "Tcp" # Probes are always TCP
  source_port_range                          = "*"
  destination_port_ranges                    = "443"
  source_address_prefix                      = "168.63.129.16" // single public IP (Azure well known)
}