Azure Container Instance able to run execution scripts via Az CLI from public IP despite VNET only inbound NSG

0
votes

So I've deployed an Azure Container Instance Group in a private Subnet & VNET where the default inbound rules on the NSG applies.

enter image description here There isn't a public IP allocated (as expected) however, I am still able to leverage Azure CLI to execute scripts with the following command from a public IP.

az container exec --resource-group myResourceGroup --name myContainer --exec-command /bin/bash

Ideally, the NSG inbound rules should have disallowed such invocation outside of the internal VNET IP address range. Likewise, az container logs & az container logs attach is also able to retrieve the logs from the said container instance. My question is therefore, why? How is it that these inbound calls are not blocked?

1
azureazure-cliazure-container-instancesazure-nsg

1 Answers

0
votes

Because these are not inbound calls. These are calls to Azure REST API, which in turn does something on your behalf. So in essence this is the same as creating a storage account or shutting down virtual machine from the portal. There should be a provider operation, that would be responsible for invoking that action. You can create a deny role assignment (with Azure Blueprints) or craft roles in such a fashion that a user wouldn't have access to that particular action.