Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

virtualNetworks

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
All Subnets should have a Network Security Group associatedLowSecurityYesYes
When available, use Private Endpoints instead of Service Endpoints for PaaS ServicesMediumSecurityYesNo

Details

All Subnets should have a Network Security Group associated

Impact:  Low Category:  Security

APRL GUID:  f0bf9ae6-25a5-974d-87d5-025abec73539

Description:

Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.

Potential Benefits:

Enhanced subnet security and traffic control
Learn More:
Azure Virtual Network - Concepts and best practices | Microsoft Learn
GatewaySUbnet
Can I associate a network security group (NSG) to the RouteServerSubnet?
Are Network Security Groups (NSGs) supported on the AzureFirewallSubnet?

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find Subnets without NSG associated
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend sn = string_size(subnets.properties.networkSecurityGroup)
| where sn == 0 and subnets.name !in ("GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "RouteServerSubnet")
| project recommendationId = "f0bf9ae6-25a5-974d-87d5-025abec73539", name, id, tags, param1 = strcat("SubnetName: ", subnets.name), param2 = "NSG: False"

When available, use Private Endpoints instead of Service Endpoints for PaaS Services

Impact:  Medium Category:  Security

APRL GUID:  24ae3773-cc2c-3649-88de-c9788e25b463

Description:

Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.

Potential Benefits:

Enhanced security and data isolation
Learn More:
Azure Virtual Network FAQ | Microsoft Learn
Reliability and Network connectivity - Microsoft Azure Well-Architected Framework | Microsoft LearnNetworking Reliability
Azure Private Link availability

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find Subnets with Service Endpoint enabled for services that offer Private Link
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend se = array_length(subnets.properties.serviceEndpoints)
| where se >= 1
| project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)
| mv-expand serviceEndpoints
| project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)
| where serviceName in (parse_json('["Microsoft.CognitiveServices","Microsoft.AzureCosmosDB","Microsoft.DBforMariaDB","Microsoft.DBforMySQL","Microsoft.DBforPostgreSQL","Microsoft.EventHub","Microsoft.KeyVault","Microsoft.ServiceBus","Microsoft.Sql", "Microsoft.Storage","Microsoft.StorageSync","Microsoft.Synapse","Microsoft.Web"]'))
| project recommendationId = "24ae3773-cc2c-3649-88de-c9788e25b463", name, id, tags, param1 = strcat("subnet=", subnetName), param2=strcat("serviceName=",serviceName), param3="ServiceEndpoints=true"