virtualNetworks
Summary
Details
All Subnets should have a Network Security Group associated
Impact: Low Category: Security
APRL GUID: f0bf9ae6-25a5-974d-87d5-025abec73539
Description:
Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level.
Potential Benefits:
Enhanced subnet security and traffic control
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find Subnets without NSG associated
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend sn = string_size(subnets.properties.networkSecurityGroup)
| where sn == 0 and subnets.name !in ("GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "RouteServerSubnet")
| project recommendationId = "f0bf9ae6-25a5-974d-87d5-025abec73539", name, id, tags, param1 = strcat("SubnetName: ", subnets.name), param2 = "NSG: False"
Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans
Impact: High Category: Security
APRL GUID: 69ea1185-19b7-de40-9da1-9e8493547a5c
Description:
Azure DDoS Protection offers enhanced mitigation features against DDoS attacks and is auto-tuned to protect specific resources in a virtual network, combined with application design best practices.
Potential Benefits:
Enhanced DDoS attack mitigation
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find virtual networks without DDoS Protection
resources
| where type =~ 'Microsoft.Network/virtualNetworks'
| where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains "false"
| project recommendationId = "69ea1185-19b7-de40-9da1-9e8493547a5c", name, id, tags, param1 = strcat("EnableDdosProtection: ", properties.enableDdosProtection)
When available, use Private Endpoints instead of Service Endpoints for PaaS Services
Impact: Medium Category: Security
APRL GUID: 24ae3773-cc2c-3649-88de-c9788e25b463
Description:
Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic.
Potential Benefits:
Enhanced security and data isolation
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find Subnets with Service Endpoint enabled for services that offer Private Link
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend se = array_length(subnets.properties.serviceEndpoints)
| where se >= 1
| project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)
| mv-expand serviceEndpoints
| project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)
| where serviceName in (parse_json('["Microsoft.CognitiveServices","Microsoft.AzureCosmosDB","Microsoft.DBforMariaDB","Microsoft.DBforMySQL","Microsoft.DBforPostgreSQL","Microsoft.EventHub","Microsoft.KeyVault","Microsoft.ServiceBus","Microsoft.Sql", "Microsoft.Storage","Microsoft.StorageSync","Microsoft.Synapse","Microsoft.Web"]'))
| project recommendationId = "24ae3773-cc2c-3649-88de-c9788e25b463", name, id, tags, param1 = strcat("subnet=", subnetName), param2=strcat("serviceName=",serviceName), param3="ServiceEndpoints=true"