Framework/Configurations/SVT/Services/VirtualNetwork.json

{
  "FeatureName": "VirtualNetwork",
  "Reference": "aka.ms/azsdkosstcp",
  "IsManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs",
      "Description": "Minimize the number of Public IPs (i.e. NICs with PublicIP) on a Virtual Network",
      "Id": "VirtualNetwork110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPublicIps",
      "Recommendation": "Unutilized Public IP address must be removed from Virtual Network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "NICName",
        "VMName",
        "PrimaryStatus",
        "NetworkSecurityGroupName",
        "PublicIpAddress",
        "PrivateIpAddress"
      ]
    },
    {
      "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs",
      "Description": "Use of IP Forwarding on any NIC in a Virtual Network should be scrutinized",
      "Id": "VirtualNetwork120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckIPForwardingforNICs",
      "Recommendation": "Disable IP Forwarding unless it has been reviewed and approved by network security team. Go to Azure Portal --> Navigate to VM NIC (where IP Forwarding is enabled) --> IP Configurations --> IP Forwarding settings --> Click on 'Disabled'.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "NICName",
        "EnableIPForwarding"
      ]
    },
    {
      "ControlID": "Azure_VNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet",
      "Description": "There must not be any NSGs on the GatewaySubnet of a Virtual Network",
      "Id": "VirtualNetwork130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNSGUseonGatewaySubnet",
      "Recommendation": "If there is an NSG on the Gateway Subnet, remove it. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-ps#delete-an-nsg",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "NetSec"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "NetworkSecurityGroup"
      ]
    },
    {
      "ControlID": "Azure_VNet_NetSec_Configure_NSG",
      "Description": "NSG should be used for subnets in a Virtual Network to permit traffic only on required inbound/outbound ports. NSGs should not have security rule to allow any-to-any traffic",
      "Id": "VirtualNetwork140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNSGConfigured",
      "Recommendation": "NSG should have security rules defined to allow only required inbound/outbound ports. To remove existing rules from an NSG: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Remove unutilized 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Remove unutilized 'Allow' action rules.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "Properties"
      ]
    },
    {
      "ControlID": "Azure_VNet_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "VirtualNetwork150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Recommendation": "Remove any excessive privileges granted on the App Service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_VNet_NetSec_Justify_Gateways",
      "Description": "Presence of any virtual network gateways (GatewayType = VPN/ExpressRoute) in the Virtual Network must be justified",
      "Id": "VirtualNetwork160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckGatewayUsed",
      "Recommendation": "Remove virtual network gateways using Remove-AzureRmVirtualNetworkGateway command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkGateway -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_VNet_NetSec_Justify_Peering",
      "Description": "Use of any Virtual Network peerings should be justified",
      "Id": "VirtualNetwork170",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckVnetPeering",
      "Recommendation": "Remove Virtual Network peering using Remove-AzureRmVirtualNetworkPeering command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec"
      ],
      "Enabled": true
    }
  ]
}