azure-network-public-udp¶
Ensure that UDP Services are restricted from the Internet
User Datagram Protocol (UDP) is a connection-less protocol. When UDP is allowed inbound access to your Azure cloud services, it creates an attack surface that can be used for a distributed reflective denial-of-service (DRDoS) against virtual machines (VMs). The UDP-based amplification attack is a form of a distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP services and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic.
Examples¶
Insecure Example
resource "azurerm_network_security_rule" "example" {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "internet"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
Secure Example
resource "azurerm_network_security_rule" "example" {
name = "test123"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "internet"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}