AzSDKPreview

2.5.1

Framework/Configurations/SVT/Services/VirtualNetwork.json

                                {

  "FeatureName": "VirtualNetwork",

  "Reference": "aka.ms/azsdkosstcp",

  "IsManintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs",

      "Description": "Minimize the number of Public IPs (i.e. NICs with PublicIP) on a Virtual Network",

      "Id": "VirtualNetwork110",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckPublicIps",

      "Recommendation": "Unutilized Public IP address must be removed from Virtual Network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "NetSec"

      ],

      "Enabled": true,

      "DataObjectProperties": [

        "NICName",

        "VMName",

        "PrimaryStatus",

        "NetworkSecurityGroupName",

        "PublicIpAddress",

        "PrivateIpAddress"

      ]

    },

    {

      "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs",

      "Description": "Use of IP Forwarding on any NIC in a Virtual Network should be scrutinized",

      "Id": "VirtualNetwork120",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckIPForwardingforNICs",

      "Recommendation": "Disable IP Forwarding unless it has been reviewed and approved by network security team. Go to Azure Portal --> Navigate to VM NIC (where IP Forwarding is enabled) --> IP Configurations --> IP Forwarding settings --> Click on 'Disabled'.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "NetSec"

      ],

      "Enabled": true,

      "DataObjectProperties": [

        "NICName",

        "EnableIPForwarding"

      ]

    },

    {

      "ControlID": "Azure_VNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet",

      "Description": "There must not be any NSGs on the GatewaySubnet of a Virtual Network",

      "Id": "VirtualNetwork130",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckNSGUseonGatewaySubnet",

      "Recommendation": "If there is an NSG on the Gateway Subnet, remove it. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-ps#delete-an-nsg",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "NetSec"

      ],

      "Enabled": true,

      "DataObjectProperties": [

        "Name",

        "NetworkSecurityGroup"

      ]

    },

    {

      "ControlID": "Azure_VNet_NetSec_Configure_NSG",

      "Description": "NSG should be used for subnets in a Virtual Network to permit traffic only on required inbound/outbound ports. NSGs should not have security rule to allow any-to-any traffic",

      "Id": "VirtualNetwork140",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckNSGConfigured",

      "Recommendation": "NSG should have security rules defined to allow only required inbound/outbound ports. To remove existing rules from an NSG: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Remove unutilized 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Remove unutilized 'Allow' action rules.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "NetSec"

      ],

      "Enabled": true,

      "DataObjectProperties": [

        "Name",

        "Properties"

      ]

    },

    {

      "ControlID": "Azure_VNet_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

      "Id": "VirtualNetwork150",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Recommendation": "Remove any excessive privileges granted on the App Service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VNet_NetSec_Justify_Gateways",

      "Description": "Presence of any virtual network gateways (GatewayType = VPN/ExpressRoute) in the Virtual Network must be justified",

      "Id": "VirtualNetwork160",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckGatewayUsed",

      "Recommendation": "Remove virtual network gateways using Remove-AzureRmVirtualNetworkGateway command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkGateway -full' for more help.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "NetSec"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VNet_NetSec_Justify_Peering",

      "Description": "Use of any Virtual Network peerings should be justified",

      "Id": "VirtualNetwork170",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckVnetPeering",

      "Recommendation": "Remove Virtual Network peering using Remove-AzureRmVirtualNetworkPeering command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' for more help.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "NetSec"

      ],

      "Enabled": true

    }

  ]

}