Skip to main content
Back to the Footgun Database
SecurityHighCommonAZF-0006

An NSG rule allowing 0.0.0.0/0 inbound puts a management port on the public internet

A single inbound allow rule with source Any (0.0.0.0/0) on a management port turns a VM into a target for the internet's background scanning traffic.

Footgun ID
AZF-0006 (Azure Footgun No. 6)
Azure service
Azure Network Security Groups
Resource type
Microsoft.Network/networkSecurityGroups
Updated
July 1, 2026

What it is

A Network Security Group with an inbound allow rule whose source is * / 0.0.0.0/0, typically on RDP (3389), SSH (22), or a database/management port. The rule lets any host on the internet reach that port, not just your network.

Impact (security)
Exposed RDP/SSH or management ports reachable from the entire internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Broad rules get added "temporarily" to unblock a connection, a quick RDP into a VM, a vendor that needs access, a demo, and then never get tightened. The NSG keeps working, so nothing prompts a cleanup.

It also happens through inheritance: a permissive rule on a subnet NSG silently applies to every VM placed in that subnet later, long after the original reason is forgotten.

What it costs / blast radius

This is a security blast radius, not a bill. An exposed management port is found by automated internet-wide scanners within minutes and becomes a target for credential-stuffing and known-exploit attempts. The blast radius is the VM and everything reachable from it, which on a flat network can be most of the environment.

See it

Footgun: RDP open to the entire internet
{
  name: 'allow-rdp'
  properties: {
    priority: 100
    direction: 'Inbound'
    access: 'Allow'
    protocol: 'Tcp'
    sourceAddressPrefix: '*'        // anyone, anywhere
    destinationPortRange: '3389'
  }
}
Fix: scope the source, or remove the rule and use Bastion / just-in-time access
{
  name: 'allow-rdp-corp'
  properties: {
    priority: 100
    direction: 'Inbound'
    access: 'Allow'
    protocol: 'Tcp'
    sourceAddressPrefix: '203.0.113.0/24'   // your corp range only
    destinationPortRange: '3389'
  }
}

How StratoLens helps

StratoLens evaluates NSG rules across every subscription and flags inbound allows from 0.0.0.0/0 on sensitive ports, and because it tracks change history, it shows you the moment a "temporary" broad rule was added and never removed. Exposure gets caught as a finding instead of in an incident.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.