Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

virtualNetworks

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
All Subnets should have a Network Security Group associatedLowSecurityYesVerified
Shield public endpoints in Azure VNets with Azure DDoS Standard Protection PlansHighSecurityYesVerified
When available, use Private Endpoints instead of Service Endpoints for PaaS ServicesMediumSecurityYesVerified

Details


All Subnets should have a Network Security Group associated

Impact:  Low Category:  Security PG Verified:  Verified

APRL GUID:  f0bf9ae6-25a5-974d-87d5-025abec73539

Description:

Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.

Potential Benefits:

Enhanced subnet security and traffic control
Learn More:
Azure Virtual Network - Concepts and best practices | Microsoft Learn
GatewaySUbnet
Can I associate a network security group (NSG) to the RouteServerSubnet?
Are Network Security Groups (NSGs) supported on the AzureFirewallSubnet?

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find Subnets without NSG associated
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend sn = string_size(subnets.properties.networkSecurityGroup)
| where sn == 0 and subnets.name !in ("GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "RouteServerSubnet")
| project recommendationId = "f0bf9ae6-25a5-974d-87d5-025abec73539", name, id, tags, param1 = strcat("SubnetName: ", subnets.name), param2 = "NSG: False"



Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  69ea1185-19b7-de40-9da1-9e8493547a5c

Description:

Azure DDoS Protection offers enhanced mitigation features against DDoS attacks and is auto-tuned to protect specific resources in a virtual network, combined with application design best practices.

Potential Benefits:

Enhanced DDoS attack mitigation
Learn More:
Reliability and Azure Virtual Network - Microsoft Azure Well-Architected Framework | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find virtual networks without DDoS Protection
resources
| where type =~ 'Microsoft.Network/virtualNetworks'
| where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains "false"
| project recommendationId = "69ea1185-19b7-de40-9da1-9e8493547a5c", name, id, tags, param1 = strcat("EnableDdosProtection: ", properties.enableDdosProtection)



When available, use Private Endpoints instead of Service Endpoints for PaaS Services

Impact:  Medium Category:  Security PG Verified:  Verified

APRL GUID:  24ae3773-cc2c-3649-88de-c9788e25b463

Description:

Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.

Potential Benefits:

Enhanced security and data isolation
Learn More:
Azure Virtual Network FAQ | Microsoft Learn
Reliability and Network connectivity - Microsoft Azure Well-Architected Framework | Microsoft LearnNetworking Reliability
Azure Private Link availability

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find Subnets with Service Endpoint enabled for services that offer Private Link
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend se = array_length(subnets.properties.serviceEndpoints)
| where se >= 1
| project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)
| mv-expand serviceEndpoints
| project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)
| where serviceName in (parse_json('["Microsoft.CognitiveServices","Microsoft.AzureCosmosDB","Microsoft.DBforMariaDB","Microsoft.DBforMySQL","Microsoft.DBforPostgreSQL","Microsoft.EventHub","Microsoft.KeyVault","Microsoft.ServiceBus","Microsoft.Sql", "Microsoft.Storage","Microsoft.StorageSync","Microsoft.Synapse","Microsoft.Web"]'))
| project recommendationId = "24ae3773-cc2c-3649-88de-c9788e25b463", name, id, tags, param1 = strcat("subnet=", subnetName), param2=strcat("serviceName=",serviceName), param3="ServiceEndpoints=true"