Can we disable ports open to the Internet on Azure Virtual Network Gateway?

Question

Hello Team, We are using Azure Virtual Network Gateway for site-to-site VPN. Our security team ran a vulnerability scan on the gateway public IP address and found out a few ports are open to the Internet:

Can you please provide us information what is the purpose of those ports? Can they be disabled? Will disabling them affect the VPN connection?

Answer 1

Hi,

What you are seeing is normal. The ports are used for Azure infrastructure communication. No they cannot be disabled.

Below is quote from VPN Gateway FAQ:

Why are certain ports opened on my virtual network gateway?

They're required for Azure infrastructure communication. They're protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints.A virtual network gateway is fundamentally a multi-homed device with one NIC tapping into the customer private network, and one NIC facing the public network. Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication. The public endpoints are periodically scanned by Azure security audit.

VPN Gateway FAQ - Why are certain ports opened on my virtual network gateway?

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#gatewayports

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP