Route Table


The presented resiliency recommendations in this guidance include Route Table and associated resources and settings.

Summary of Recommendations

Recommendations Details

RT-1 - Monitor changes in Route Tables with Azure Monitor

Category: Monitoring

Impact: Low

Guidance

Create Alerts for administrative operations such as Create or Update Route Table with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in routing, such as attempts to by-pass firewalls or from accessing resources externally.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Find all Route Tables without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/routeTables"
| project name, id, tags, lowerCaseRouteTableId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/routeTables"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Route Table
        (conditionJson has '"Microsoft.Network/routeTables/write"') or
        // All Administrative operations
        (conditionJson !has '"Microsoft.Network/routeTables/write"' and conditionJson !has '"Microsoft.Network/routeTables/delete"' and conditionJson !has '"Microsoft.Network/routeTables/join/action"')
        )
    | project lowerCaseRouteTableIdOfScope = tolower(scope)
    )
    on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope
| where isempty(lowerCaseRouteTableIdOfScope)
| project recommendationId = "rt-1", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"



RT-2 - Configure locks for Route Tables to avoid accidental changes or deletion

Category: Governance

Impact: Low

Guidance

As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only.

Resources

Resource Graph Query

// under-development