When creating a VM with the new Resource Manager, I can see that the default Network Security Group restricts every incoming access to all ports (except the administration port, SSH/RDP), which makes sense.
But how about if I install some software on the VM which requests UPnP to its gateway? Would the NetworkSecurityGroup allow its incoming traffic by default? Do I need to install a firewall in the guest to prevent this?
There is no official documentation on this, but port forwarding is allowed via UPnP. Today I have set up a parity node on a new Azure VM (using the ResourceManager) and it did allow the incoming connections on port 30303 despite not having the port allowed in the Network Security Group for that VM. parity is using UPnP by default to allow incoming connections to receive the blockchain data.
IMHO more people should be aware of this possible (in)security behavior with the Azure firewall.
