Framework/Configurations/SVT/Services/VirtualNetwork.json
|
{
"FeatureName": "VirtualNetwork", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs", "Description": "Public IPs (i.e. NICs with PublicIP) on a Virtual Network should be minimized", "Id": "VirtualNetwork110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Recommendation": "Unutilized Public IP address must be removed from Virtual Network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs", "Description": "Use of 'IP Forwarding' on any NIC in a Virtual Network should be scrutinized", "Id": "VirtualNetwork120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPFarwardingforNICs", "Recommendation": "IP Forwarding should be enabled only if required. For more information visit: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of the VNet", "Id": "VirtualNetwork130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Recommendation": "It's the default behavior, no action required.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Configure_NSG", "Description": "NSG should be configured for subnet(s) in VNet to allow traffic only on required inbound/outbound ports. NSG should not have security rule to allow any to any outbound traffic", "Id": "VirtualNetwork140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfigured", "Recommendation": "NSG should have security rules defined to block unused inbound/outbound ports. To remove existing rules from NSG a) Azure Portal -> Network security groups. -> <Your NSG> -> Inbound security rules -> Remove unutilized Allow action rules. b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Remove unutilized Allow action rules.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "VirtualNetwork150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Gateways", "Description": "If there are any virtual network gateways (GatewayType = VPN/ExpressRoute) in the VNet, their presence should be justified", "Id": "VirtualNetwork160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Recommendation": "Remove unutilized virtual network gateways using Remove-AzureRmVirtualNetworkGateway command. Run 'Get-Help Remove-AzureRmVirtualNetworkGateway -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Peering", "Description": "If there is a vNet-vNet peering, its presence should be justified", "Id": "VirtualNetwork170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Recommendation": "Remove unutilized VNet peering using Remove-AzureRmVirtualNetworkPeering command. Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true } ] } |