Adding deny all rule to Azure Bastion nsg

infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md

@@ -36,6 +36,7 @@ parVpnGatewayConfig | No       | Configuration for VPN virtual network gateway t
 parExpressRouteGatewayConfig | No       | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": {   "value": {} }
 parTags        | No       | Tags you would like to be applied to all resources in this module.
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parBastionOutboundSshRdpPorts | No       | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
 
 ### parLocation
 
@@ -283,6 +284,14 @@ Set Parameter to true to Opt-out of deployment telemetry.
 
 - Default value: `False`
 
+### parBastionOutboundSshRdpPorts
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
+
+- Default value: `22 3389`
+
 ## Outputs
 
 Name | Type | Description
@@ -509,6 +518,12 @@ outHubVirtualNetworkId | string |
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parBastionOutboundSshRdpPorts": {
+            "value": [
+                "22",
+                "3389"
+            ]
         }
     }
 }

infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep

@@ -235,6 +235,9 @@ param parTags object = {}
 @sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
 param parTelemetryOptOut bool = false
 
+@sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.')
+param parBastionOutboundSshRdpPorts array = ['22','3389']
+
 var varSubnetProperties = [for subnet in parSubnets: {
   name: subnet.name
   properties: {
@@ -373,6 +376,19 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
           ]
         }
       }
+      {
+        name: 'DenyAllInbound'
+        properties: {
+          access: 'Deny'
+          direction: 'Inbound'
+          priority: 4096
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '*'
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+        }
+      }
       // Outbound Rules
       {
         name: 'AllowSshRDPOutbound'
@@ -384,10 +400,7 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
           destinationAddressPrefix: 'VirtualNetwork'
           protocol: '*'
           sourcePortRange: '*'
-          destinationPortRanges: [
-            '22'
-            '3389'
-          ]
+          destinationPortRanges: parBastionOutboundSshRdpPorts
         }
       }
       {
@@ -432,6 +445,19 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
           destinationPortRange: '80'
         }
       }
+      {
+        name: 'DenyAllOutbound'
+        properties: {
+          access: 'Deny'
+          direction: 'Outbound'
+          priority: 4096
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '*'
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+        }
+      }
     ]
   }
 }

infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json

@@ -205,6 +205,9 @@
     },
     "parTelemetryOptOut": {
       "value": false
+    },
+    "parBastionOutboundSshRdpPorts": {
+      "value": ["22","3389"]
     }
   }
 }

infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json

@@ -167,6 +167,9 @@
     },
     "parTelemetryOptOut": {
       "value": false
+    },
+    "parBastionOutboundSshRdpPorts": {
+      "value": ["22","3389"]
     }
   }
 }