Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to close the Port 20000 in your VNET Gateway.
Please note that certain ports required for Azure infrastructure communication.
- They're protected (locked down) by Azure certificates.
- Without proper certificates, external entities, including the customers of those gateways, won't be able to cause any effect on those endpoints
- The reason being that Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication.
- We can assure you that the public endpoints are periodically scanned by Azure security audit
Refer : Why are certain ports opened on my virtual network gateway?
Also, wrt using NSGs,
- When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet.
- Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected
- Refer : Azure GatewaySubnet Considerations
Hope this helps.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.