module/ConfigurationProvider/ControlConfigurations/Services/LoadBalancer.json
|
{
"FeatureName": "LoadBalancer", "Reference": "aka.ms/azsktcp/loadBalancer", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_LoadBalancer_NetSec_Restrict_Network_Traffic", "Description": "Protect Internet First Applications by restricting traffic on Azure Load Balancer", "Id": "LoadBalancer110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckLoadBalancerRestrictNetworkTraffic", "DisplayName": "Protect Internet First Applications by restricting traffic on Azure Load Balancer", "Rationale": "Restricting traffic on the Load Balancer further strengthens the security posture of your applications by protecting them from the common web vulnerabilities. This allows you to secure both your internet-facing as well as your internal application workloads.", "Recommendation": "To restrict traffic on Load balancer, Attach every subnet with NSG/Azure Firewall. Refer link to associate subnet with NSG https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic", "Tags": [ "Baseline", "LoadBalancer", "NetSec", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "CAIPreview", "TBv7", "SN:LoadBalancer_RestrictTraffic" ] }, { "ControlID": "Azure_LoadBalancer_NetSec_Enable_DDoS_Protection", "Description": "Protect Internet First Applications with Azure Load Balancer and Azure DDoS protection", "Id": "LoadBalancer120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckLoadBalancerDDoSProtection", "DisplayName": "Protect Internet First Applications with Azure Load Balancer and Azure DDoS protection", "Rationale": "Enabling DDOS on Vnet of front end configurations, provides protection and defense for Azure resources against the impacts of DDoS attacks.", "Recommendation": "To Remediate, Enable DDOS on the Virtual Network of every frontend IP configuration of Load balancer or refer link https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection#enable-ddos-protection-for-an-existing-virtual-network", "Tags": [ "Baseline", "Daily", "LoadBalancer", "NetSec", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "MSD", "TBv7", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:LoadBalancer_DDOS" ] }, { "ControlID": "Azure_LoadBalancer_SI_Remove_Inactive_LoadBalancer", "Description": "Azure Load Balancer with no backend pools should be removed", "Id": "LoadBalancer130", "ControlSeverity": "Medium", "Automated": "Yes", "Category": "Security Hygiene best practices", "MethodName": "CheckLoadBalancerBackendConfiguration", "DisplayName": "Azure Load Balancer with no backend pools should be removed", "ControlRequirements": "Clean up unused resources to maintain Security hygiene", "Rationale": "Load balancer distributes inbound flows that arrive at the load balancer's front end to backend pool instances. If there are no backend pool(s), Load balancer is simply unused. Cleaning up unused Load balancer is suggested as a good hygiene practice.", "Recommendation": "To Remediate, Go to Azure portal -> Load Balancer -> Backend pools -> If there are no pools, either delete it or attach it to a relevant pool.", "Tags": [ "Baseline", "LoadBalancer", "SI" ], "Enabled": true, "ControlSettings": { "ExcludedSkuName": [ "Classic" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:Loadbalancer_RemoveInactive" ] } ] } |