Virtual Networks

The presented resiliency recommendations in this guidance include Virtual Networks and associated Virtual Networks settings.

Summary of Recommendations

The below table shows the list of resiliency recommendations for Virtual Networks and associated resources.

Recommendations Details

VNET-1 - All Subnets should have a Network Security Group associated

Category: Access & Security

Impact: High

Guidance

Network security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. NSG’s provide a security layer on Subnet level. Note that the following subnets are excluded(ignored) because applying NSG on these subnets is not supported: GatewaySubnet, AzureFirewallSubnet, AzureFirewallManagementSubnet, RouteServerSubnet.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Find Subnets without NSG associated
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend sn = string_size(subnets.properties.networkSecurityGroup)
| where sn == 0 and subnets.name !in ("GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "RouteServerSubnet")
| project recommendationId = "vnet-1", name, id, tags, param1 = strcat("SubnetName: ", subnets.name), param2 = "NSG: False"



VNET-2 - Use Azure DDoS Standard Protection Plans to protect all public endpoints hosted within customer Virtual Networks

Category: Access & Security

Impact: High

Guidance

Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It’s automatically tuned to help protect your specific Azure resources in a virtual network.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Find virtual networks without DDoS Protection
resources
| where type =~ 'Microsoft.Network/virtualNetworks'
| where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains "false"
| project recommendationId = "vnet-2", name, id, tags, param1 = strcat("EnableDdosProtection: ", properties.enableDdosProtection)



VNET-3 - When available, use Private Endpoints instead of Service Endpoints for PaaS Services

Category: Access & Security

Impact: Medium

Guidance

Use virtual network service endpoints only when Private Link isn’t available and there are no concerns with unauthorized movement of data. The VNet service endpoint feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side) limits the Azure service access to the allowed VNet and subnet, thus providing a network level security and isolation of the Azure service traffic. All traffic using VNet service endpoints flows over Microsoft backbone, thus providing another layer of isolation from the public internet

Resources

Resource Graph Query

// Azure Resource Graph Query
// Find Subnets with Service Endpoint enabled for services that offer Private Link
resources
| where type =~ 'Microsoft.Network/virtualnetworks'
| mv-expand subnets = properties.subnets
| extend se = array_length(subnets.properties.serviceEndpoints)
| where se >= 1
| project name, id, tags, subnets, serviceEndpoints=todynamic(subnets.properties.serviceEndpoints)
| mv-expand serviceEndpoints
| project name, id, tags, subnetName=subnets.name, serviceName=tostring(serviceEndpoints.service)
| where serviceName in (parse_json('["Microsoft.CognitiveServices","Microsoft.AzureCosmosDB","Microsoft.DBforMariaDB","Microsoft.DBforMySQL","Microsoft.DBforPostgreSQL","Microsoft.EventHub","Microsoft.KeyVault","Microsoft.ServiceBus","Microsoft.Sql", "Microsoft.Storage","Microsoft.StorageSync","Microsoft.Synapse","Microsoft.Web"]'))
| project recommendationId = "vnet-3", name, id, tags, param1 = strcat("subnet=", subnetName), param2=strcat("serviceName=",serviceName), param3="ServiceEndpoints=true"