Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

routeTables

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Monitor changes in Route Tables with Azure MonitorHighMonitoring and AlertingYesNo
Configure locks for Route Tables to avoid accidental changes or deletionLowGovernanceNoNo

Details

Monitor changes in Route Tables with Azure Monitor

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  23b2dfc7-7e5d-9443-9f62-980ca621b561

Description:

Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.

Potential Benefits:

Enhanced security and change detection
Learn More:
Azure activity log - Azure Monitor | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Route Tables without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/routeTables"
| project name, id, tags, lowerCaseRouteTableId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/routeTables"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Route Table
        (conditionJson has '"Microsoft.Network/routeTables/write"') or
        // All Administrative operations
        (conditionJson !has '"Microsoft.Network/routeTables/write"' and conditionJson !has '"Microsoft.Network/routeTables/delete"' and conditionJson !has '"Microsoft.Network/routeTables/join/action"')
        )
    | project lowerCaseRouteTableIdOfScope = tolower(scope)
    )
    on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope
| where isempty(lowerCaseRouteTableIdOfScope)
| project recommendationId = "23b2dfc7-7e5d-9443-9f62-980ca621b561", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"

Configure locks for Route Tables to avoid accidental changes or deletion

Impact:  Low Category:  Governance

APRL GUID:  89d1166a-1a20-0f46-acc8-3194387bf127

Description:

As an administrator, you can protect Azure subscriptions, resource groups, or resources from accidental deletions and modifications by setting locks.

Potential Benefits:

Prevents accidental edits/deletions
Learn More:
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development