How to protect a Virtual Machine on Azure from being attacked by specific IP ranges on port 1433

Marc Troch 0 Reputation points
2023-12-05T08:41:37.5766667+00:00

How can I protect a Virtual Machine on Azure from being attacked by specific IP ranges on port 1433?

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
71 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,174 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,875 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,666 Reputation points Microsoft Employee
    2023-12-05T12:21:44.13+00:00

    Hello @Marc Troch ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how to protect an Azure Virtual Machine from being attacked by specific IP ranges on port 1433.

    The basic network security recommendation for Azure Virtual Machines is to use network security groups (NSG) to restrict or monitor traffic by port, protocol, source IP address, or destination IP address.

    So, you can only allow specific IP ranges on port 1433 of your VM and restrict/deny the rest.

    Refer: https://zcusa.951200.xyz/en-us/security/benchmark/azure/baselines/virtual-machines-windows-virtual-machines-security-baseline#network-security

    You can also use just-in-time (JIT) VM access to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy connections to VMs when they're needed.

    Refer: https://zcusa.951200.xyz/en-us/azure/virtual-machines/security-recommendations#networking

    https://zcusa.951200.xyz/en-us/azure/defender-for-cloud/just-in-time-access-usage

    https://zcusa.951200.xyz/en-us/azure/defender-for-cloud/tutorial-protect-resources

    To monitor your network for unknown or undesired traffic, you can use Network security groups flow logging feature available in Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group.

    Refer: https://zcusa.951200.xyz/en-us/security/benchmark/azure/security-control-network-security

    https://zcusa.951200.xyz/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

    For broader Azure network security options and recommendations, please refer the below docs:

    https://zcusa.951200.xyz/en-us/azure/security/fundamentals/network-overview

    https://zcusa.951200.xyz/en-us/security/benchmark/azure/security-control-network-security

    If interested, you can enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks.

    Refer: https://zcusa.951200.xyz/en-us/azure/ddos-protection/ddos-protection-reference-architectures

    You can also deploy Azure Firewall for network traffic filtering and enable/configure Threat Intelligence to "Alert and deny" for malicious network traffic.

    Refer: https://zcusa.951200.xyz/en-us/azure/firewall/overview

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.