Route Table

The presented resiliency recommendations in this guidance include Route Table and associated resources and settings.

Summary of Recommendations

Recommendation	Category	Impact	State	ARG Query Available
RT-1 - Monitor changes in Route Tables with Azure Monitor	Monitoring	Low	Preview	Yes
RT-2 - Configure locks for Route Tables to avoid accidental changes or deletion	Governance	Low	Preview	No

Definitions of states can be found here

Recommendations Details

RT-1 - Monitor changes in Route Tables with Azure Monitor

Category: Monitoring

Impact: Low

Guidance

Create Alerts for administrative operations such as Create or Update Route Table with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in routing, such as attempts to by-pass firewalls or from accessing resources externally.

Resources

Azure activity log - Azure Monitor | Microsoft Learn

Resource Graph Query

// Azure Resource Graph Query
// Find all Route Tables without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/routeTables"
| project name, id, tags, lowerCaseRouteTableId = tolower(id)
| join kind = leftouter (
    resources
    | where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
    | mv-expand scope = properties.scopes
    | where scope has "Microsoft.Network/routeTables"
    | project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
    | where conditionJson has '"Administrative"' and (
        // Create or Update Route Table
        (conditionJson has '"Microsoft.Network/routeTables/write"') or
        // All Administrative operations
        (conditionJson !has '"Microsoft.Network/routeTables/write"' and conditionJson !has '"Microsoft.Network/routeTables/delete"' and conditionJson !has '"Microsoft.Network/routeTables/join/action"')
        )
    | project lowerCaseRouteTableIdOfScope = tolower(scope)
    )
    on $left.lowerCaseRouteTableId == $right.lowerCaseRouteTableIdOfScope
| where isempty(lowerCaseRouteTableIdOfScope)
| project recommendationId = "rt-1", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"

RT-2 - Configure locks for Route Tables to avoid accidental changes or deletion

Category: Governance

Impact: Low

Guidance

As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only.

Resources

Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn

Resource Graph Query

// under-development

Azure Databricks

Batch Accounts

Azure Site Recovery

Compute Gallery

Image Templates

Virtual Machine Scale Sets

Virtual Machines

AKS

Container Registry

SQL DB

Cosmos DB

DB for MySQL

DB for PostgreSQL

Redis Cache

Api Management

Event Grid

Event Hub

Service Bus

IoT Hub

Automation Account

Management Groups

Resource Groups

Subscription

Azure Backup

Application Insights

Log Analytics

Resource Health Alerts

Service Health Alerts

Application Gateway

DDoS Protection Plans

ExpressRoute Circuits

ExpressRoute Connection

ExpressRoute Direct

ExpressRoute Gateway

ExpressRoute Traffic Collector

Firewall

Front Door

Load Balancer

Network Security Group

Network Watcher

Private DNS Zones

Private Endpoints

Public Ip

Route Table

Traffic Manager

Virtual Networks

VPN Gateway

Web Application Firewall

Key Vault

Azure High Performance Computing

Azure Virtual Desktop

Azure VMware Solution

SAP on Azure

Azure NetApp Files

Storage Accounts (Blob/Azure Data Lake Storage Gen2)

App Service Plan

SignalR

Web App

Route Table

Summary of Recommendations

Recommendations Details

RT-1 - Monitor changes in Route Tables with Azure Monitor

RT-2 - Configure locks for Route Tables to avoid accidental changes or deletion