Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Defender for Cloud features will be officially retired in Azure in China region on August 18, 2026 per the announcement posted by 21Vianet.
Internet Exposure Analysis is a key capability that helps organizations identify which cloud resources are exposed to the public internet, both intentionally or unintentionally, and prioritize remediation based on the risk and scope of that exposure.
Defender for Cloud uses internet exposure to determine the risk level of your misconfigurations enabling high quality posture insights across risk-based posture assessments, and signal prioritization across Defender for Cloud posture.
How Defender for Cloud detects internet exposure
Defender for Cloud determines if a resource is exposed to the internet by analyzing both:
- Control-plane configuration (e.g., public IPs, load balancers)
- Network-path reachability (analyzing routing, security and firewall rules)
Detecting internet exposure can be as simple as checking if a virtual machine (VM) has a public IP address. However, the process can be more complex. Defender for Cloud attempts to locate internet-exposed resources in complex multicloud architectures. For example, a VM might not be directly exposed to the internet but could be behind a load balancer, which distributes network traffic across multiple servers to ensure no single server becomes overwhelmed.
The following table lists the resources that Defender for Cloud assesses for internet exposure:
| Category | Services/Resources |
|---|---|
| Virtual machines | Azure VM |
| Virtual machine clusters | Azure Virtual Machine Scale Set |
| Databases (DB) | Azure SQL Azure PostgreSQL Azure MySQL Azure SQL Managed Instance Azure MariaDB Azure Cosmos DB Azure Synapse |
| Storage | Azure Storage |
| AI | Azure OpenAI Service Azure AI Services Azure Cognitive Search |
| Containers | Azure Kubernetes Service (AKS) |
| API | Azure API Management Operations |
The following table lists the network components that Defender for Cloud assesses for internet exposure:
| Category | Services/Resources |
|---|---|
| Azure | Application gateway Load Balancer Azure Firewall Network Security Groups vNet/Subnets |
Internet Exposure Width
Note
Internet Exposure Width including the risk factors are applied to only compute instances that include - Azure VMs/VMSS compute instance.
Internet Exposure Width represents the risks based on how broadly a resource (e.g. virtual machine) is exposed to the public internet. It plays a critical role in helping security teams understand not just whether a resource is internet-exposed, but how wide or narrow that exposure is, influencing the criticality and prioritization of security insights presented in attack paths and security recommendations.
How It Works
Defender for cloud automatically analyzes your internet-facing resources and tags them as wide exposure or narrow exposure according to the networking rules. The output is tagged either as wide exposure and
- Attack paths that involve widely exposed resources now clearly indicate this in the title, such as "Widely internet exposed virtual machines has high permissions to storage account".
- The exposure width calculated is then used to determine the attack path generation and risk based recommendation that helps you to rightly prioritize the severity of the findings by adding specific labels to the following experiences.
- A new "Exposure width" insight is available on the Cloud Security Explorer, allowing users to query all supported resources that are widely exposed.
How to view internet exposed resources
Defender for Cloud offers a few different ways to view internet facing resources.
- Recommendations - Defender for Cloud prioritizes recommendations based on their exposure to the internet.