NSG rules for Azure proxy appliance (Archive Tier)

[TRE3]

One of our customers uses Azure proxy appliances for moving capacity tier data to archive tier. The customer has several sites in different countries with different Veeam backup servers on each site. Every site has a static external IP address but no Site-to-Site VPN connection to Azure.

Every time a new proxy appliance gets deployed by Veeam, it is openly available over port 22 on the Internet. Azure Sentinel detects SSH brute force attacks from IP addresses all over the world that have nothing to do with the different Veeam sites of the customer.

Since the appliances and their network security groups get deployed now and then, it is not possible for us to only allow SSH access for the customer's own external IP addresses.

How can we fix this security issue without creating Site2Site VPNs for every customer site?

(object-storage-f52/ssh-access-to-veeam- ... 75229.html and registry key "ArchiveFreezingUsePrivateIpForAzureAppliance" only work with VPN/Express Route)

Thanks!

[Gostev]

Hello! I would not worry about this at all as there are millions of servers on the Internet openly available over port 22... so it's not some special or unique condition, or "security issue" per say. Especially when we're talking about short-lived helper appliances. However, if this is not acceptable for whatever reason, they I don't really see any options except leveraging VPNs, as Veeam needs to control the appliance remotely somehow. Thanks!

[TRE3]

Hello Gostev, Thank you for your answer! I will show the explanation to the customer so that he can decide