Network security group restricts inbound HTTP (port 80) access from the Internet
network_http_internet_access_restricted
Azure NSG are evaluated for inbound rules that allow public HTTP access on TCP 80, including cases where 80 is covered by a port range, from 0.0.0.0/0, Internet, or *.
Risk
Exposing TCP 80 to the Internet increases attack surface:
- Web recon and exploits compromise integrity and availability
- Cleartext HTTP can leak credentials, cookies, and data, harming confidentiality
- Public endpoints enable bot abuse and footholds for lateral movement
Run this check with Prowler CLI
prowler azure --checks network_http_internet_access_restricted
Recommendation
Apply least privilege at NSGs:
- Remove broad allows to
TCP 80, or restrict to trusted sources - Enforce HTTPS (443) and redirect or block HTTP
- Use private access patterns and segmentation for defense in depth
- If exposure is necessary, place services behind a WAF, enable DDoS protections, and monitor
Remediation
CLI
az network nsg rule update --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME> --access Deny
Native IaC
Terraform
Other
- In Azure Portal, go to Network Security Groups and select your NSG
- Open Inbound security rules
- Find any rule with Action Allow, Protocol TCP or Any, Destination port 80 (or range including 80), and Source Internet/*/0.0.0.0/0
- Select the rule and click Edit
- Change Action to Deny (or delete the rule)
- Click Save
Source Code
Resource Type
microsoft.network/networksecuritygroups