01 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the current Azure subscription:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az network nsg list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return a table with requested resource information:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name ResourceGroup
------------------------ ------------------------------
cc-production-server-nsg cloud-shell-storage-westeurope
cc-staging-app-server-nsg cloud-shell-storage-westeurope
03 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters to describe the Telnet inbound rule defined for the selected network security group using custom query filtering:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az network nsg rule list
--nsg-name cc-production-server-nsg
--resource-group cloud-shell-storage-westeurope
--query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && (destinationPortRange=='23')]"
04 The command output should return the requested security group rule metadata or an empty array, i.e. [], if there are no Telnet rules created for TCP port 23:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
{
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationApplicationSecurityGroups": null,
"destinationPortRange": "23",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-production-server-nsg/securityRules/selectedPort",
"name": "Telnet",
"priority": 100,
"protocol": "TCP",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"sourceAddressPrefix": "*"
,
"sourceAddressPrefixes": [],
"sourceApplicationSecurityGroups": null,
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
]
If the "
sourceAddressPrefix" attribute value is set to "
*", "
internet" or "
any", the selected network security group (NSG) allows unrestricted traffic on TCP port 23, therefore the Telnet inbound access to the associated Microsoft Azure virtual machine(s) is not secured.
05 Repeat step no. 3 and 4 for each Azure network security group created within the selected subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.