What it is
A Network Security Group with an inbound allow rule whose source is * / 0.0.0.0/0, typically on RDP (3389), SSH (22), or a database/management port. The rule lets any host on the internet reach that port, not just your network.
Why it happens
Broad rules get added "temporarily" to unblock a connection, a quick RDP into a VM, a vendor that needs access, a demo, and then never get tightened. The NSG keeps working, so nothing prompts a cleanup.
It also happens through inheritance: a permissive rule on a subnet NSG silently applies to every VM placed in that subnet later, long after the original reason is forgotten.
What it costs / blast radius
This is a security blast radius, not a bill. An exposed management port is found by automated internet-wide scanners within minutes and becomes a target for credential-stuffing and known-exploit attempts. The blast radius is the VM and everything reachable from it, which on a flat network can be most of the environment.
See it
{
name: 'allow-rdp'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourceAddressPrefix: '*' // anyone, anywhere
destinationPortRange: '3389'
}
}{
name: 'allow-rdp-corp'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourceAddressPrefix: '203.0.113.0/24' // your corp range only
destinationPortRange: '3389'
}
}How StratoLens helps
StratoLens evaluates NSG rules across every subscription and flags inbound allows from 0.0.0.0/0 on sensitive ports, and because it tracks change history, it shows you the moment a "temporary" broad rule was added and never removed. Exposure gets caught as a finding instead of in an incident.