Framework/Configurations/SVT/Services/ERvNet.json
|
{
"FeatureName": "ERvNet", "Reference": "aka.ms/azsdkosstcp/ervnet", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_PublicIPs", "Description": "There must not be any Public IPs (i.e., NICs with PublicIP) on ExpressRoute-connected VMs", "Id": "ERvNet110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Recommendation": "All Public IP addresses must be removed from from an ExpressRoute-connected virtual network. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "VMName", "PrimaryStatus", "NetworkSecurityGroupName", "PublicIpAddress", "PrivateIpAddress" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_Multi_NIC_VMs", "Description": "There must not be multiple NICs on ExpressRoute-connected VMs", "Id": "ERvNet120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMultiNICVMUsed", "Recommendation": "Only one NIC must be configured. All additional NICs must be removed. Refer: http://stackoverflow.com/questions/34526032/how-can-i-programmatically-detach-a-nic-from-its-vm-in-azure-arm", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs", "Description": "The 'EnableIPForwarding' flag must not be set to true for NICs in the ExpressRoute-connected vNet", "Id": "ERvNet130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "Recommendation": "IP Forwarding must be disabled on ExpressRoute-connected NICs. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "EnableIPForwarding" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of the ExpressRoute-connected vNet", "Id": "ERvNet140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Recommendation": "If there is an NSG on the Gateway Subnet, remove it. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-ps#delete-an-nsg", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "Name", "NetworkSecurityGroup" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets", "Description": "There must not be a UDR on *any* subnet in an ExpressRoute-connected vNet", "Id": "ERvNet150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckUDRAddedOnSubnet", "Recommendation": "Remove association between UDRs and respective subnets using the 'Remove-AzureSubnetRouteTable' command. Run 'Get-Help Remove-AzureSubnetRouteTable -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "Name", "RouteTable" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways", "Description": "There must not be another virtual network gateway (GatewayType = Vpn) in an ExpressRoute-connected vNet", "Id": "ERvNet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Recommendation": "Remove any VPN Gateways from the ExpressRoute-connected virtual network. Refer: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-delete-vnet-gateway-powershell", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings", "Description": "There must not be any virtual network peerings on an ExpressRoute-connected vNet", "Id": "ERvNet170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Recommendation": "Remove VNet peering using the 'Remove-AzureRmVirtualNetworkPeering' PS command. Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers", "Description": "Only internal load balancers (ILBs) may be used inside an ExpressRoute-connected vNet", "Id": "ERvNet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInternalLoadBalancers", "Recommendation": "Remove external load balancers using the 'Remove-AzureRmLoadBalancer' PS command. Run 'Get-Help Remove-AzureRmLoadBalancer -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_SI_Add_Only_Network_Resources", "Description": "Only resources of type Microsoft.Network/* must be added in the ERNetwork resource group", "Id": "ERvNet190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOnlyNetworkResourceExist", "Recommendation": "Move all other resources except Microsoft.Network/* to another resource group. To move a resource, simply go to the Overview tab for it in the Azure portal and select the Move option.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": false, "DataObjectProperties": [ "ResourceType", "ResourceID" ] }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_Resource_Lock", "Description": "Ensure that the ERNetwork resource group is protected with a resource lock", "Id": "ERvNet200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckResourceLockConfigured", "Recommendation": "Create a new resource lock using command 'New-AzureRmResourceLock' and apply it to the ERNetwork resource group. Run 'Get-Help New-AzureRmResourceLock -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": false } ] } |