Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

routeTables

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Monitor changes in Route Tables with Azure MonitorMediumMonitoring and AlertingYesNo

Details


Monitor changes in Route Tables with Azure Monitor

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  23b2dfc7-7e5d-9443-9f62-980ca621b561

Description:

Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.

Potential Benefits:

Enhanced security and change detection
Learn More:
Azure activity log - Azure Monitor | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Route Tables without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/routeTables"
| project name, id, tags, lowerCaseRouteTableId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/routeTables"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Route Table
        (conditionJson has '"Microsoft.Network/routeTables/write"') or
        // All Administrative operations
        (conditionJson !has '"Microsoft.Network/routeTables/write"' and conditionJson !has '"Microsoft.Network/routeTables/delete"' and conditionJson !has '"Microsoft.Network/routeTables/join/action"')
        )
    | project lowerCaseRouteTableIdOfScope = tolower(scope)
    )
    on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope
| where isempty(lowerCaseRouteTableIdOfScope)
| project recommendationId = "23b2dfc7-7e5d-9443-9f62-980ca621b561", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"