01 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the current Azure subscription:
az network nsg list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return a table with requested resource information:
Name ResourceGroup
------------------------ ------------------------------
cc-production-server-nsg cloud-shell-storage-westeurope
cc-staging-app-server-nsg cloud-shell-storage-westeurope
03 Run network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters to describe the MSSQL inbound rule defined for the selected network security group using custom query filtering:
az network nsg rule list
--nsg-name cc-production-server-nsg
--resource-group cloud-shell-storage-westeurope
--query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && (destinationPortRange=='1433')]"
04 The command output should return the requested security group rule metadata or an empty array, i.e. [], if there are no MSSQL rules created for TCP port 1433:
[
{
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationApplicationSecurityGroups": null,
"destinationPortRange": "1433",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-production-server-nsg/securityRules/selectedPort",
"name": "MSSQL",
"priority": 100,
"protocol": "TCP",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"sourceAddressPrefix": "*"
,
"sourceAddressPrefixes": [],
"sourceApplicationSecurityGroups": null,
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
]
If the "
sourceAddressPrefix" attribute value is set to "
*", "
internet" or "
any", the selected network security group (NSG) allows unrestricted traffic on TCP port 1433, therefore the MSSQL inbound access to the associated Microsoft Azure virtual machine(s) is not secured.
05 Repeat step no. 3 and 4 for each Azure network security group created within the selected subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.