bridgecrewio · davimmt · Aug 11, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 21, 2025
diff --git a/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py
@@ -5,16 +5,17 @@
 from checkov.common.util.type_forcers import force_list
 import re
 
-INTERNET_ADDRESSES = ("*", "0.0.0.0", "<nw>/0", "/0", "internet", "any")  # nosec
+INTERNET_ADDRESSES = re.compile(r"^(\*|internet|any|0\.0\.0\.0|.*/0)$", re.IGNORECASE)
 PORT_RANGE = re.compile(r"\d+-\d+")
 
 
 class NSGRulePortAccessRestricted(BaseResourceCheck):
-    def __init__(self, name: str, check_id: str, port: int) -> None:
+    def __init__(self, name: str, check_id: str, port: int, additional_protocols: Union[List[str]] = []) -> None:
         supported_resources = ("azurerm_network_security_rule", "azurerm_network_security_group")
         categories = (CheckCategories.NETWORKING,)
         super().__init__(name=name, id=check_id, categories=categories, supported_resources=supported_resources)
         self.port = port
+        self.additional_protocols = additional_protocols
 
     def is_port_in_range(self, ports: Union[int, str, List[Union[int, str]]]) -> bool:
         for range in force_list(ports):
@@ -53,7 +54,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
                 and direction
                 and direction[0].lower() == "inbound"
                 and protocol
-                and protocol[0].lower() in ("tcp", "*")
+                and protocol[0].lower() in (("tcp", "*") + tuple(self.additional_protocols))
                 and (
                     (
                         destination_port_range
@@ -69,14 +70,13 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
                     (
                         source_address_prefix
                         and isinstance(source_address_prefix[0], str)
-                        and source_address_prefix[0].lower() in INTERNET_ADDRESSES  # fmt: skip
+                        and bool(INTERNET_ADDRESSES.match(source_address_prefix[0]))
                     )
                     or (
                         source_address_prefixes
                         and source_address_prefixes[0]
                         and isinstance(source_address_prefixes[0], list)
-                        and any((isinstance(prefix, str) and prefix.lower()) in INTERNET_ADDRESSES for prefix in
-                                source_address_prefixes[0])
+                        and any(isinstance(prefix, str) and INTERNET_ADDRESSES.match(prefix) for prefix in source_address_prefixes[0])
                     )
                 )
             ):

diff --git a/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py
@@ -7,6 +7,7 @@ def __init__(self) -> None:
             name="Ensure that RDP access is restricted from the internet",
             check_id="CKV_AZURE_9",
             port=3389,
+            additional_protocols=["udp"]
         )
 
 

diff --git a/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf b/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf
@@ -130,8 +130,44 @@ resource "azurerm_network_security_group" "ranges" {
   }
 }
 
+resource "azurerm_network_security_rule" "f_source_slash_zero" {
+  name                        = "example"
+  access                      = "Allow"
+  direction                   = "Inbound"
+  network_security_group_name = "azurerm_network_security_group.example.name"
+  priority                    = 100
+  protocol                    = "Tcp"
+  resource_group_name         = "azurerm_resource_group.example.name"
+
+  destination_port_range  = 3389
+  source_address_prefix   = "0/0"
+  destination_port_ranges = null
+  source_address_prefixes = null
+}
+
 # lower case
 
+resource "azurerm_network_security_rule" "f_ranges_udp_lower_case" {
+  name                        = "example"
+  access                      = "allow"
+  direction                   = "inbound"
+  network_security_group_name = "azurerm_network_security_group.example.name"
+  priority                    = 100
+  protocol                    = "udp"
+  resource_group_name         = "azurerm_resource_group.example.name"
+
+  destination_port_range = null
+  source_address_prefix  = null
+  destination_port_ranges = [
+    3389,
+    443
+  ]
+  source_address_prefixes = [
+    "0.0.0.0/0",
+    "10.0.0.0/16"
+  ]
+}
+
 resource "azurerm_network_security_rule" "ranges_prefixes_lower_case" {
   name                        = "example"
   access                      = "allow"

diff --git a/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py b/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py
@@ -31,6 +31,8 @@ def test(self):
             "azurerm_network_security_group.ranges",
             "azurerm_network_security_rule.ranges_prefixes_lower_case",
             "azurerm_network_security_rule.range_prefix_lower_case",
+            "azurerm_network_security_rule.f_source_slash_zero",
+            "azurerm_network_security_rule.f_ranges_udp_lower_case",
         }
 
         passed_check_resources = {c.resource for c in report.passed_checks}