`az vm/vmss create`: `--nsg-rule` should default to `NONE`

[jiasli]

Context

--nsg-rule from az vm create by default opens port 3389 for RDP on Windows VM and port 22 for SSH on Linux VM to public internet:

> az vm create --help
...
    --nsg-rule                                                    : NSG rule to create when creating
                                                                    a new NSG. Defaults to open
                                                                    ports for allowing RDP on
                                                                    Windows and allowing SSH on
                                                                    Linux. NONE represents no NSG
                                                                    rule.  Allowed values: NONE,
                                                                    RDP, SSH.

This imposes a security risk and will trigger sev 2 IcM. If this behavior is considered insecure Microsoft/Azure internally, it is considered insecure externally for public users.

Proposed solution

--nsg-rule should be default to NONE. User must explicitly specify RDP or SSH.

[jiasli]

For Microsoft internal users, to avoid triggering sev 2 IcM, you may

1. create a VM with --nsg-rule NONE first,
2. after the NSG is created, create a rule using a special address prefix CorpNetPublic which allows all Microsoft IP addresses.

# SSH 22
az network nsg rule create --resource-group $rg --nsg-name $nsgname --name allow_ssh --priority 100 --source-address-prefixes CorpNetPublic --destination-port-ranges 22 --direction Inbound --access Allow --protocol Tcp --description "Allow SSH from CorpNet"

# RDP 3389
az network nsg rule create --resource-group $rg --nsg-name $nsgname --name allow_rdp --priority 100 --source-address-prefixes CorpNetPublic --destination-port-ranges 3389 --direction Inbound --access Allow --protocol Tcp --description "Allow RDP from CorpNet"

[microsoft-github-policy-service]

🔔 Routing this issue to @act-observability-squad.