Close the security hole allowing outbound traffic to any server on the internet on TCP port 1688 from any Azure IaaS VM
NSG 'deny' rules ignore TCP port 1688.
It is possible to exflitrate [i.e. steal] confidential data from any Azure IaaS VM (via the internet) to a server running an arbitrary service on TCP port 1688.
1. Deploy an SSH/SFTP server running on port 1688 in your home or another cloud service
2. As a legitimate user of an Azure IaaS deployment, logon to an Azure VM (RDP or Citrix servers commonly allow user-logons)
3. Transfer confidential data from the Azure IaaS VM to your private server on port 1688