This repository has been archived by the owner on May 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 133
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
97f653e
commit 330549c
Showing
3 changed files
with
113 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
+++ | ||
title = "Route Table" | ||
description = "Best practices and resiliency recommendations for Route Table and associated resources and settings." | ||
date = "8/31/23" | ||
author = "beheath" | ||
msAuthor = "benheath" | ||
draft = false | ||
+++ | ||
|
||
The presented resiliency recommendations in this guidance include Route Table and associated resources and settings. | ||
|
||
## Summary of Recommendations | ||
|
||
{{< table style="table-striped" >}} | ||
| Recommendation | Category | Impact | State | ARG Query Available | | ||
| :------------------------------------------------ | :---------------------------------------------------------------------: | :------: | :------: | :-----------------: | | ||
| [RT-1 - Monitor changes in Route Tables with Azure Monitor](#rt-1---monitor-changes-in-route-tables-with-azure-monitor) | Monitoring | Low | Preview | No | | ||
| [RT-2 - Configure locks for Route Tables to avoid accidental changes and/or deletion](#rt-2---configure-locks-for-route-tables-to-avoid-accidental-changes-and/or-deletion) | Governance | Low | Preview | No | | ||
{{< /table >}} | ||
|
||
{{< alert style="info" >}} | ||
|
||
Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) | ||
|
||
{{< /alert >}} | ||
|
||
## Recommendations Details | ||
|
||
### RT-1 - Monitor changes in Route Tables with Azure Monitor | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Low** | ||
|
||
**Recommendation/Guidance** | ||
|
||
Create Alerts for administrative operations such as Create or Update Route Table with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in routing, such as attempts to by-pass firewalls or from accessing resources externally. | ||
|
||
**Resources** | ||
|
||
- [Azure activity log - Azure Monitor | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/rt-1/rt-1.ps1" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### RT-2 - Configure locks for Route Tables to avoid accidental changes and/or deletion | ||
|
||
**Category: Governance** | ||
|
||
**Impact: Low** | ||
|
||
**Recommendation/Guidance** | ||
|
||
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. | ||
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. | ||
|
||
**Resources** | ||
|
||
- [Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/rt-2/rt-2.ps1" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> |
20 changes: 20 additions & 0 deletions
20
docs/content/services/networking/route-table/code/rt-1/rt-1.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#Pulls a list of all Route Tables without an alert configured for modifications. | ||
$NeedsActivityAlerts = @() | ||
$subscriptions = Get-azsubscription | ||
|
||
foreach ($subscription in $subscriptions){ | ||
set-azcontext $subscription | Out-Null | ||
$RouteTables= Get-AzRouteTable | ||
$ActivityLogAlerts = Get-AzActivityLogAlert | where {$_.scope-match "routeTables"} | ||
$AlertsEnabled = @() | ||
foreach ($resource in $RouteTables){ | ||
foreach($Alert in $ActivityLogAlerts){ | ||
if($Alert.scope -match $resource.name){$AlertsEnabled+=$resource} | ||
} | ||
} | ||
foreach ($RT in $RouteTables){ | ||
if($AlertsEnabled.name -notcontains $rt.name){$NeedsActivityAlerts+=$RT} | ||
} | ||
} | ||
|
||
$NeedsActivityAlerts | select Name, ResourceType, ResourceGroupName, Location, ID | format-table |
17 changes: 17 additions & 0 deletions
17
docs/content/services/networking/route-table/code/rt-2/rt-2.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
#Pulls a list of all Route Tables without a resource lock configured. | ||
$NeedsResourceLock = @() | ||
$subscriptions = Get-azsubscription | ||
|
||
foreach ($subscription in $subscriptions){ | ||
set-azcontext $subscription | Out-Null | ||
|
||
$RouteTables= Get-AzRouteTable | ||
$ResourceLocks = Get-AzResourceLock | ||
$RouteTableLocks = $ResourceLocks | where{$_.resourcetype -eq "Microsoft.Network/routeTables"} | ||
$ResourceGroupLocks = $ResourceLocks | where{$_.resourcetype -eq "Microsoft.Authorization/locks"} | ||
foreach ($resource in $RouteTables){ | ||
If ($routetablelocks.resourcename -notcontains $resource.name -and $ResourceGroupLocks.ResourceGroupName -notcontains $resource.ResourceGroupName){$NeedsResourceLock += $resource} | ||
} | ||
} | ||
|
||
$NeedsResourceLock | select Name, ResourceType, ResourceGroupName, Location, ID | format-table |