This repository has been archived by the owner on May 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 133
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: Rodrigo Santos <[email protected]>
- Loading branch information
1 parent
ee31c7a
commit 40adc48
Showing
80 changed files
with
1,264 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 7 additions & 4 deletions
11
docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,7 @@ | ||
Resources | ||
| where type == "microsoft.network/applicationGateways" | ||
| where properties.capacity.autoScaleConfiguration != null | ||
| where properties.capacity.autoScaleConfiguration.minCapacity >= 2 | ||
// Azure Resource Graph Query | ||
// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1 | ||
resources | ||
| where type =~ "microsoft.network/applicationGateways" | ||
| where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1 | ||
| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1" | ||
| order by id asc |
9 changes: 6 additions & 3 deletions
9
docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,7 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all Application Gateways that do not have WAF enabled | ||
Resources | ||
| where type == "microsoft.network/applicationGateways" | ||
| where properties.webApplicationFirewallConfiguration != null | ||
| project name, waf_enabled = tobool(properties.webApplicationFirewallConfiguration.enabled) | ||
| where type =~ "microsoft.network/applicationGateways" | ||
| where isnull(properties.webApplicationFirewallConfiguration) | ||
| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull" | ||
| order by id asc |
12 changes: 7 additions & 5 deletions
12
docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,8 @@ | ||
Resources | ||
| where type == "microsoft.network/applicationGateways" | ||
// Azure Resource Graph Query | ||
// This query will return all Application Gateways in your Azure environment and will identify if they are v1 or v2 | ||
resources | ||
| where type =~ "microsoft.network/applicationGateways" | ||
| extend sku = tolower(tostring(properties.sku.name)) | ||
| extend is_v2 = iif(startswith(sku, "standard_v2"), true, false) | ||
| extend is_v1 = iif(startswith(sku, "standard"), not(is_v2), false) | ||
| project name, is_v1, is_v2 | ||
| where sku != "waf_v2" and sku != "standard_v2" | ||
| project recommendationId = "appgw-4", name, id, param1 = "sku: v1" | ||
| order by id asc |
153 changes: 153 additions & 0 deletions
153
docs/content/services/networking/network-security-group/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
+++ | ||
title = "Network Security Group" | ||
description = "Best practices and resiliency recommendations for Network Security Group and associated resources and settings." | ||
date = "9/19/23" | ||
author = "rodrigosantosms" | ||
msAuthor = "rodrigosantosms" | ||
draft = false | ||
+++ | ||
|
||
The presented resiliency recommendations in this guidance include Network Security Group and associated resources and settings. | ||
|
||
## Summary of Recommendations | ||
|
||
{{< table style="table-striped" >}} | ||
| Recommendation | Category | Impact | State | ARG Query Available | | ||
| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------: | :------: | :------: | :-----------------: | | ||
| [NSG-1 - Configure Diagnostic Settings for all Azure Resources](#nsg-1---configure-diagnostic-settings-for-all-azure-resources) | Monitoring | Medium | Preview | No | | ||
| [NSG-2 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-2---monitor-changes-in-network-security-groups-with-azure-monitor) | Monitoring | Low | Preview | No | | ||
| [NSG-3 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-3---configure-locks-for-network-security-groups-to-avoid-accidental-changes-andor-deletion) | Governance | Low | Preview | No | | ||
| [NSG-4 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes | | ||
| [NSG-5 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-5---the-nsg-only-has-default-security-rules-make-sure-to-configure-the-necessary-rules) | Access & Security | Medium | Preview | Yes | | ||
{{< /table >}} | ||
|
||
{{< alert style="info" >}} | ||
|
||
Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) | ||
|
||
{{< /alert >}} | ||
|
||
## Recommendations Details | ||
|
||
### NSG-1 - Configure Diagnostic Settings for all Azure Resources | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Medium** | ||
|
||
**Recommendation/Guidance** | ||
|
||
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. | ||
|
||
**Resources** | ||
|
||
- [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nsg-1/nsg-1.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### NSG-2 - Monitor changes in Network Security Groups with Azure Monitor | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Low** | ||
|
||
**Recommendation/Guidance** | ||
|
||
Create Alerts for administrative operations such as Create or Update Network Security Group rules with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in the default security, such as attempts to by-pass firewalls or from accessing resources externally. | ||
|
||
**Resources** | ||
|
||
- [Azure Monitor activity log](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nsg-2/nsg-2.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion | ||
|
||
**Category: ** | ||
|
||
**Impact: Medium** | ||
|
||
**Recommendation/Guidance** | ||
|
||
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. | ||
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. | ||
|
||
**Resources** | ||
|
||
- [Lock your resources to protect your infrastructure](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nsg-3/nsg-3.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### NSG-4 - Configure NSG Flow Logs | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Medium** | ||
|
||
**Recommendation/Guidance** | ||
|
||
It's vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who's connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen. | ||
|
||
Flow logs are the source of truth for all network activity in your cloud environment. Whether you're in a startup that's trying to optimize resources or a large enterprise that's trying to detect intrusion, flow logs can help. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more. | ||
|
||
**Resources** | ||
|
||
- [Flow logging for network security groups](https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nsg-4/nsg-4.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules | ||
|
||
**Category: Access & Security** | ||
|
||
**Impact: Medium** | ||
|
||
**Recommendation/Guidance** | ||
|
||
You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. | ||
|
||
**Resources** | ||
|
||
- [Security rules](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nsg-5/nsg-5.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> |
2 changes: 2 additions & 0 deletions
2
docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
// Azure Resource Graph Query | ||
// Under development |
2 changes: 2 additions & 0 deletions
2
docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
// Azure Resource Graph Query | ||
// Under development |
2 changes: 2 additions & 0 deletions
2
docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
// Azure Resource Graph Query | ||
// Under development |
6 changes: 6 additions & 0 deletions
6
docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all NSGs that do not have flow logs enabled | ||
resources | ||
| where type =~ "microsoft.network/networksecuritygroups" | ||
| where isnull(properties.flowLogs) | ||
| project recommendationId = "nsg-4", name, id, param1 = "NSG Flow Logs Disabled" |
7 changes: 7 additions & 0 deletions
7
docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all NSGs that have NO security rules | ||
resources | ||
| where type =~ "microsoft.network/networksecuritygroups" | ||
| extend sr = string_size(properties.securityRules) | ||
| where sr <=2 or isnull(properties.securityRules) | ||
| project recommendationId = "nsg-5", name, id |
75 changes: 75 additions & 0 deletions
75
docs/content/services/networking/network-watcher/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
+++ | ||
title = "Network Watcher" | ||
description = "Best practices and resiliency recommendations for Network Watcher and associated resources and settings." | ||
date = "9/19/23" | ||
author = "rodrigosantosms" | ||
msAuthor = "rodrigosantosmsS" | ||
draft = false | ||
+++ | ||
|
||
The presented resiliency recommendations in this guidance include Network Watcher and associated resources and settings. | ||
|
||
## Summary of Recommendations | ||
|
||
{{< table style="table-striped" >}} | ||
| Recommendation | Category | Impact | State | ARG Query Available | | ||
| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------------: | :------: | :------: | :-----------------: | | ||
| [NW-1 - Deploy Network Watcher in all regions where you have networking services](#nw-1---deploy-network-watcher-in-all-regions-where-you-have-networking-services) | Monitoring | Low | Preview | Yes | | ||
| [NW-2 - Fix Flow Log configurations in Failed state or Disabled Status](#nw-2---fix-flow-log-configurations-in-failed-state-or-disabled-status) | Monitoring | Low | Preview | Yes | | ||
{{< /table >}} | ||
|
||
{{< alert style="info" >}} | ||
|
||
Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) | ||
|
||
{{< /alert >}} | ||
|
||
## Recommendations Details | ||
|
||
### NW-1 - Deploy Network Watcher in all regions where you have networking services | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Low** | ||
|
||
**Recommendation/Guidance** | ||
|
||
Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products like virtual machines (VMs), virtual networks (VNets), application gateways, load balancers, etc. Network Watcher isn't designed or intended for PaaS monitoring or Web analytics. | ||
|
||
**Resources** | ||
|
||
- [What is Azure Network Watcher?](https://learn.microsoft.com/azure/network-watcher/network-watcher-overview) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nw-1/nw-1.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> | ||
|
||
### NW-2 - Fix Flow Log configurations in Failed state or Disabled Status | ||
|
||
**Category: Monitoring** | ||
|
||
**Impact: Low** | ||
|
||
**Recommendation/Guidance** | ||
|
||
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. If the flow log is in Failed state, the monitoring data from the associated resource is not being collected. | ||
|
||
**Resources** | ||
|
||
- [Manage NSG flow logs using the Azure portal](https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/nw-2/nw-2.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> |
9 changes: 9 additions & 0 deletions
9
docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all locations that do not have a Network Watcher deployed | ||
resources | ||
| where location != "global" | ||
| union (Resources | ||
| where type =~ "microsoft.network/networkwatchers") | ||
| summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location | ||
| where NetworkWatcherCount == 0 | ||
| project recommendationId = "nw-1", name=location, id="n/a", param1 = strcat("LocationMisingNetworkWatcher:", location) |
10 changes: 10 additions & 0 deletions
10
docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state | ||
resources | ||
| where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties) | ||
| extend targetResourceId = tostring(properties.targetResourceId) | ||
| extend status = iff(properties.enabled =~ 'true', "Enabled", "Disabled") | ||
| extend provisioningState = tostring(properties.provisioningState) | ||
| extend flowLogType = iff(properties.targetResourceId contains "Microsoft.Network/virtualNetworks", 'Virtual network', 'Network security group') | ||
| where provisioningState != "Succeeded" or status != "Enabled" | ||
| project recommendationId = "nw-2", name, id, param1 = strcat("provisioningState:", provisioningState), param2=strcat("Status:", status), param3=strcat("targetResourceId:",targetResourceId), param4=strcat("flowLogType:",flowLogType) |
50 changes: 50 additions & 0 deletions
50
docs/content/services/networking/private-endpoints/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
+++ | ||
title = "Private Endpoints" | ||
description = "Best practices and resiliency recommendations for Private Endpoints and associated resources and settings." | ||
date = "9/19/23" | ||
author = "CHANGE ME TO YOUR GITHUB USERNAME" | ||
msAuthor = "CHANGE ME TO YOUR MICROSOFT ALIAS" | ||
draft = false | ||
+++ | ||
|
||
The presented resiliency recommendations in this guidance include Private Endpoints and associated resources and settings. | ||
|
||
## Summary of Recommendations | ||
|
||
{{< table style="table-striped" >}} | ||
| Recommendation | Category | Impact | State | ARG Query Available | | ||
| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------: | :------: | :------: | :-----------------: | | ||
| [PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state](#pep-1---resolve-issues-with-private-endpoints-in-non-succeeded-connection-state) | Networking | Medium | Preview | Yes | | ||
{{< /table >}} | ||
|
||
{{< alert style="info" >}} | ||
|
||
Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) | ||
|
||
{{< /alert >}} | ||
|
||
## Recommendations Details | ||
|
||
### PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state | ||
|
||
**Category: Networking** | ||
|
||
**Impact: Medium** | ||
|
||
**Recommendation/Guidance** | ||
|
||
A private endpoint has two custom properties, static IP address and the network interface name. These properties must be set when the private endpoint is created. I the state is not in Succeeded state, there might be a problem with the private endpoint or with the associated resource. | ||
|
||
**Resources** | ||
|
||
- [Private endpoint connections](https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections) | ||
|
||
**Resource Graph Query/Scripts** | ||
|
||
{{< collapse title="Show/Hide Query/Script" >}} | ||
|
||
{{< code lang="sql" file="code/pep-1/pep-1.kql" >}} {{< /code >}} | ||
|
||
{{< /collapse >}} | ||
|
||
<br><br> |
6 changes: 6 additions & 0 deletions
6
docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
// Azure Resource Graph Query | ||
// This query will return all Private Endpoints that are not in a Succeeded state | ||
resources | ||
| where type =~ "microsoft.network/privateendpoints" | ||
| where properties.provisioningState != "Succeeded" or properties.privateLinkServiceConnections[0].properties.provisioningState != "Succeeded" | ||
| project recommendationId = "pep-1", name, id, param1 = strcat("provisioningState: ", tostring(properties.provisioningState)), param2 = strcat("provisioningState: ", tostring(properties.privateLinkServiceConnections[0].properties.provisioningState)) |
Oops, something went wrong.