"FeatureName": "ERvNet", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_PublicIPs", "Description": "There must not be any Public IPs (i.e., NICs with PublicIP) on ExpressRoute-connected VMs", "Id": "ERvNet110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Rationale": "Public IP addresses on an ER-connected virtual network can expose the corporate network to security attacks from the internet.", "Recommendation": "Any Public IP addresses you added to an ER-connected virtual network must be removed. Refer:", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "DataObjectProperties": [ "NICName", "VMName", "PrimaryStatus", "NetworkSecurityGroupName", "PublicIpAddress", "PrivateIpAddress" ], "PolicyDefinitionGuid": "ERvNet110" }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_Multi_NIC_VMs", "Description": "There must not be multiple NICs on ExpressRoute-connected VMs", "Id": "ERvNet120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMultiNICVMUsed", "Rationale": "Using multiple NICs, one can route traffic between the ER-connected virtual network and another non-ER-connected virtual network. This can put the corporate network at risk. (Multi-NIC VMs on an ER-connected virtual network may be required in some advanced scenarios. You should engage the network security team for a review in such cases.)", "Recommendation": "Remove any additional NICs on VMs which are on an ER-connected virtual network. Refer:", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs", "Description": "The 'EnableIPForwarding' flag must not be set to true for NICs in the ExpressRoute-connected vNet", "Id": "ERvNet130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "Rationale": "Using IP Forwarding one can change the routing of packets from an ER-connected virtual network. This can lead to bypass of network protections that are required and applicable for corpnet traffic. (IP Forwarding on an ER-connected virtual network may be required only in advanced scenarios such as Network Virtual Applicances. You should engage the network security team for a review in such cases.)", "Recommendation": "IP Forwarding must be disabled on ExpressRoute-connected NICs. Refer:", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "DataObjectProperties": [ "NICName", "EnableIPForwarding" ], "PolicyDefinitionGuid": "ERvNet130" }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of the ExpressRoute-connected vNet", "Id": "ERvNet140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Rationale": "Using NSGs on the Gateway subnet of an ER-connected virtual network can cause the connection to stop functioning and may impact availability.", "Recommendation": "If you added any NSGs to the Gateway Subnet of the ER-connected virtual network, remove them. Refer:", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "DataObjectProperties": [ "Name", "NetworkSecurityGroup" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets", "Description": "There must not be a UDR on *any* subnet in an ExpressRoute-connected vNet", "Id": "ERvNet150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckUDRAddedOnSubnet", "Rationale": "Using UDRs on any subnet of an ER-connected virtual network can lead to security exposure for corpnet traffic by allowing it to be routed in a way that evades inspection from network security scanners.", "Recommendation": "Remove association between any UDRs you may have added and respective subnets using the 'Remove-AzureSubnetRouteTable' command. Run 'Get-Help Remove-AzureSubnetRouteTable -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "DataObjectProperties": [ "Name", "RouteTable" ], "PolicyDefinitionGuid": "ERvNet150" }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways", "Description": "There must not be another virtual network gateway (GatewayType = Vpn) in an ExpressRoute-connected vNet", "Id": "ERvNet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Rationale": "Using other gateway types on an ER-connected virtual network can lead to pathways for corpnet traffic where the traffic can get exposed to the internet or evade inspection from network security scanners. This creates a direct risk to corpnet security.", "Recommendation": "Remove any VPN Gateways from the ExpressRoute-connected virtual network. Refer:", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "PolicyDefinitionGuid": "ERvNet160" }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings", "Description": "There must not be any virtual network peerings on an ExpressRoute-connected vNet", "Id": "ERvNet170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Rationale": "A virtual network peering on an ER-connected circuit establishes a link to another virtual network whereby traffic egress and ingress can evade inspection from network security appliances. This creates a direct risk to corpnet security.", "Recommendation": "Remove any VNet peering you added using the 'Remove-AzVirtualNetworkPeering' PS command. Run 'Get-Help Remove-AzVirtualNetworkPeering -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "PolicyDefinitionGuid": "ERvNet170", "DataObjectProperties": [ "AllowForwardedTraffic", "AllowGatewayTransit", "AllowVirtualNetworkAccess", "Id", "PeeringState", "RemoteGateways", "RemoteVirtualNetwork", "RemoteVirtualNetworkAddressSpace", "UseRemoteGateways" ], "IsAttestationDriftExpected": true, "OnAttestationDrift": { "ApplyToVersionsUpto" : "4.9.0", "ActionOnAttestationDrift": "CheckOnlySelectPropertiesInDataObject" } }, { "ControlID": "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers", "Description": "Only internal load balancers (ILBs) may be used inside an ExpressRoute-connected vNet", "Id": "ERvNet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInternalLoadBalancers", "Rationale": "External load balancers on an ER-connected vNet can expose the corporate network to security attacks from the internet.", "Recommendation": "Remove any external load balancers you may have added using the 'Remove-AzLoadBalancer' PS command. Run 'Get-Help Remove-AzLoadBalancer -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": true, "PolicyDefinitionGuid": "ERvNet180" }, { "ControlID": "Azure_ERvNet_SI_Add_Only_Network_Resources", "Description": "Only resources of type Microsoft.Network/* must be added in the ERNetwork resource group", "Id": "ERvNet190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOnlyNetworkResourceExist", "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. This resource group is deployed and managed by the networking team and should not be used as a general purpose resource group or as a container for non-networking resources as it can impact the ER-connectivity of your subscription.", "Recommendation": "Move all other resources except Microsoft.Network/* to another resource group. To move a resource, simply go to the Overview tab for it in the Azure portal and select the Move option.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet" ], "Enabled": false, "DataObjectProperties": [ "ResourceType", "ResourceID" ] }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_Resource_Lock", "Description": "Ensure that the ERNetwork resource group is protected with a resource lock", "Id": "ERvNet200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckResourceLockConfigured", "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. A resource lock is deployed on the ERNetwork resource group to keep you from deleting it accidentally. Removing this lock increases the chances of accidental write/delete of this resource group and that can impact ER-connectivity of your subscription.", "Recommendation": "Create a ReadOnly resource lock for every ER Network resource group using command New-AzResourceLock -LockName '{LockName}' -LockLevel 'ReadOnly' -Scope '/subscriptions/{SubscriptionId}/resourceGroups/{ERNetworkResourceGroup}'. Run 'Get-Help New-AzResourceLock -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet" ], "Enabled": false, "PolicyDefinitionGuid": "ERvNet200" }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_ARM_Policy", "Description": "Ensure that ARM policies are deployed to protect the ERNetwork setup", "Id": "ERvNet210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckARMPolicyConfigured", "Recommendation": "Run command 'Set-AzSKARMPolicies -Tags SDO' to set ARM Policies. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet" ], "Enabled": false } ] } |