Services should listen on allowed ports only

What does this mean?

This recommendation ensures that containers and services only expose network ports that are explicitly allowed. Unrestricted port exposure increases the attack surface and may expose internal services to unauthorized access.

Benefits of implementation

• Limits network exposure to only approved ports
• Reduces the attack surface for network-based attacks
• Supports network segmentation policies

Drawbacks and considerations

• Requires maintaining an approved port list
• May require port policy exceptions for specific workloads
• Debugging network issues is harder with restricted ports

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.