rules/Azure.VNET.Rule.ps1
|
# Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # # Validation rules for virtual networking # #region Virtual Network # Synopsis: Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet'); foreach ($exclusion in $Configuration.GetStringValues('AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG')) { if ($exclusion) { $excludedSubnets += $exclusion; } } function IsHSM($subnetObject) { return @($subnetObject.properties.delegations | Where-Object { $_.properties.serviceName -eq 'Microsoft.HardwareSecurityModules/dedicatedHSMs' }).Length -gt 0; } function IsExcludedSubnet($subnetName) { return [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($subnetName) -in $excludedSubnets; } $subnet = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnet = @(GetVirtualNetworkSubnets | Where-Object { $null -ne $_ }); } if ($subnet.Length -eq 0) { return $Assert.Pass(); } foreach ($sn in $subnet) { if ((IsExcludedSubnet($sn.Name)) -or (IsHSM($sn))) { $Assert.Pass(); continue; } $Assert. HasFieldValue($sn, 'properties.networkSecurityGroup.id'). WithReason(($LocalizedData.SubnetNSGNotConfigured -f $sn.Name), $True); } } # Synopsis: VNETs should have at least two DNS servers assigned. Rule 'Azure.VNET.SingleDNS' -Ref 'AZR-000264' -Type 'Microsoft.Network/virtualNetworks' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } { # If DNS servers are customized, at least two IP addresses should be defined if ($Assert.NullOrEmpty($TargetObject, 'properties.dhcpOptions.dnsServers').Result) { $Assert.Pass() } else { $Assert.GreaterOrEqual($TargetObject, 'properties.dhcpOptions.dnsServers', 2); } } # Synopsis: Virtual networks (VNETs) should use Azure local DNS servers. Rule 'Azure.VNET.LocalDNS' -Ref 'AZR-000265' -Type 'Microsoft.Network/virtualNetworks' -If { (IsExport) -and !($Configuration.GetBoolOrDefault('AZURE_VNET_DNS_WITH_IDENTITY', $False)) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } { # If DNS servers are customized, check what range the IPs are in if ($Assert.NullOrEmpty($TargetObject, 'properties.dhcpOptions.dnsServers').Result) { $Assert.Pass() } else { # Primary DNS server must be within VNET address space or peered VNET $dnsServers = @($TargetObject.properties.dhcpOptions.dnsServers) $primary = $dnsServers[0] $localRanges = @(); $localRanges += $TargetObject.properties.addressSpace.addressPrefixes if ($Assert.HasFieldValue($TargetObject, 'properties.virtualNetworkPeerings').Result) { $localRanges += $TargetObject.properties.virtualNetworkPeerings.properties.remoteAddressSpace.addressPrefixes } # Determine if the primary is in range WithinCIDR -IP $primary -CIDR $localRanges } } # Synopsis: VNET peering connections must be connected. Rule 'Azure.VNET.PeerState' -Ref 'AZR-000266' -If { (HasPeerNetwork) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { $peers = @($TargetObject.properties.virtualNetworkPeerings); foreach ($peer in $peers) { $Assert.HasFieldValue($peer, 'Properties.peeringState', 'Connected'); } } # Synopsis: Subnet names should meet naming requirements. Rule 'Azure.VNET.SubnetName' -Ref 'AZR-000267' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { # https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftnetwork if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @($TargetObject.properties.subnets) if ($subnets.Length -eq 0 -or !$Assert.HasFieldValue($TargetObject, 'properties.subnets').Result) { $Assert.Pass(); } else { foreach ($subnet in $subnets) { # Between 1 and 80 characters long $Assert.GreaterOrEqual($subnet, 'Name', 1) $Assert.LessOrEqual($subnet, 'Name', 80) # Alphanumerics, underscores, periods, and hyphens. # Start with alphanumeric. End alphanumeric or underscore. $subnet | Match 'Name' '^[A-Za-z0-9]((-|\.)*\w){0,79}$' } } } elseif ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks/subnets') { $nameParts = $PSRule.TargetName.Split('/'); $name = $nameParts[-1]; # Between 1 and 80 characters long $Assert.GreaterOrEqual($name, '.', 1) $Assert.LessOrEqual($name, '.', 80) # Alphanumerics, underscores, periods, and hyphens. # Start with alphanumeric. End alphanumeric or underscore. $name | Match '.' '^[A-Za-z0-9]((-|\.)*\w){0,79}$' } } # Synopsis: VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Rule 'Azure.VNET.BastionSubnet' -Ref 'AZR-000314' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Reliability'; } { $subnets = @(GetVirtualNetworkSubnetNames) $Assert.In($subnets, '.', @('AzureBastionSubnet')).ReasonFrom('properties.subnets', $LocalizedData.SubnetNotFound, 'AzureBastionSubnet') } # Synopsis: Use Azure Firewall to filter network traffic to and from Azure resources. Rule 'Azure.VNET.FirewallSubnet' -Ref 'AZR-000322' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { $subnets = @(GetVirtualNetworkSubnetNames) $Assert.In($subnets, '.', @('AzureFirewallSubnet')).ReasonFrom('properties.subnets', $LocalizedData.SubnetNotFound, 'AzureFirewallSubnet') } # Synopsis: Zonal-deployed Azure Firewalls should consider using an Azure NAT Gateway for outbound access. Rule 'Azure.VNET.FirewallSubnetNAT' -Ref 'AZR-000448' -Level 'Warning' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -If { $Configuration.GetBoolOrDefault('AZURE_FIREWALL_IS_ZONAL', $False) } -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Reliability'; } { if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @( $TargetObject.properties.subnets | Where-Object { $null -ne $_ -and ($_.name -eq 'AzureFirewallSubnet' -or $_.name -like '*/AzureFirewallSubnet') } GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | Where-Object { $null -ne $_ -and ($_.name -eq 'AzureFirewallSubnet' -or $_.name -like '*/AzureFirewallSubnet') } ) } else { $subnets = @($TargetObject | Where-Object { $_.name -eq 'AzureFirewallSubnet' -or $_.name -like '*/AzureFirewallSubnet' }) } if ($subnets.Count -eq 0) { return $Assert.Pass() } foreach ($subnet in $subnets) { $Assert.HasFieldValue($subnet, 'properties.natGateway.id').Reason($LocalizedData.FirewallSubnetNAT) } } # Synopsis: Disable default outbound access for virtual machines. Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'AzureBastionSubnet') if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @( $TargetObject.properties.subnets | Where-Object { $null -ne $_ -and -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets } GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | Where-Object { $null -ne $_ -and -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets } ) } else { $subnets = @($TargetObject | Where-Object { -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets } ) } if ($subnets.Count -eq 0) { return $Assert.Pass() } foreach ($subnet in $subnets) { $Assert.HasFieldValue($subnet, 'properties.defaultOutboundAccess', $false).Reason($LocalizedData.PrivateSubnet, $subnet.name) } } # Synopsis: Use standard virtual networks names. Rule 'Azure.VNET.Naming' -Ref 'AZR-000474' -Type 'Microsoft.Network/virtualNetworks' -If { $Configuration['AZURE_VNET_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_VNET_NAME_FORMAT, $True); } # Synopsis: Use standard subnets names. Rule 'Azure.VNET.SubnetNaming' -Ref 'AZR-000475' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -If { $Configuration['AZURE_VNET_SUBNET_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { $excludedSubnets = @('GatewaySubnet', 'AzureBastionSubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet'); if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @(GetVirtualNetworkSubnets | Where-Object { $null -ne $_ }); if ($subnets.Length -eq 0) { $Assert.Pass(); } foreach ($subnet in $subnets) { $name = [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($subnet.Name); if ($name -in $excludedSubnets) { $Assert.Pass(); } else { $Assert.Match($name, '.', $Configuration.AZURE_VNET_SUBNET_NAME_FORMAT, $True); } } } elseif ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks/subnets') { $name = [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($PSRule.TargetName); if ($name -in $excludedSubnets) { $Assert.Pass(); } else { $Assert.Match($name, '.', $Configuration.AZURE_VNET_SUBNET_NAME_FORMAT, $True); } } } #endregion Virtual Network #region Helper functions function global:HasGatewaySubnet { [CmdletBinding()] [OutputType([System.Boolean])] param () process { ($TargetObject.Properties.subnets | Where-Object { $_.name -eq 'GatewaySubnet' }) -or (@(GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | Where-Object { $_.name -eq 'GatewaySubnet' })) } } function global:GetVirtualNetworkSubnetNames { [CmdletBinding()] [OutputType([PSObject])] param () process { $TargetObject.Properties.subnets | ForEach-Object { $_.name } GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets', 'subnets' | ForEach-Object { $_.name } } } function global:GetVirtualNetworkSubnets { [CmdletBinding()] [OutputType([PSObject])] param () process { $TargetObject.Properties.subnets GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets', 'subnets' } } #endregion Helper functions # SIG # Begin signature block # MIIoKQYJKoZIhvcNAQcCoIIoGjCCKBYCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCADT2FFxr++b/jZ # pcBULj7uOVNwjulNZdRM40yf77eEJqCCDXYwggX0MIID3KADAgECAhMzAAAEhV6Z # 7A5ZL83XAAAAAASFMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjUwNjE5MTgyMTM3WhcNMjYwNjE3MTgyMTM3WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDASkh1cpvuUqfbqxele7LCSHEamVNBfFE4uY1FkGsAdUF/vnjpE1dnAD9vMOqy # 5ZO49ILhP4jiP/P2Pn9ao+5TDtKmcQ+pZdzbG7t43yRXJC3nXvTGQroodPi9USQi # 9rI+0gwuXRKBII7L+k3kMkKLmFrsWUjzgXVCLYa6ZH7BCALAcJWZTwWPoiT4HpqQ # hJcYLB7pfetAVCeBEVZD8itKQ6QA5/LQR+9X6dlSj4Vxta4JnpxvgSrkjXCz+tlJ # 67ABZ551lw23RWU1uyfgCfEFhBfiyPR2WSjskPl9ap6qrf8fNQ1sGYun2p4JdXxe # UAKf1hVa/3TQXjvPTiRXCnJPAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUuCZyGiCuLYE0aU7j5TFqY05kko0w # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwNTM1OTAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBACjmqAp2Ci4sTHZci+qk # tEAKsFk5HNVGKyWR2rFGXsd7cggZ04H5U4SV0fAL6fOE9dLvt4I7HBHLhpGdE5Uj # Ly4NxLTG2bDAkeAVmxmd2uKWVGKym1aarDxXfv3GCN4mRX+Pn4c+py3S/6Kkt5eS # DAIIsrzKw3Kh2SW1hCwXX/k1v4b+NH1Fjl+i/xPJspXCFuZB4aC5FLT5fgbRKqns # WeAdn8DsrYQhT3QXLt6Nv3/dMzv7G/Cdpbdcoul8FYl+t3dmXM+SIClC3l2ae0wO # lNrQ42yQEycuPU5OoqLT85jsZ7+4CaScfFINlO7l7Y7r/xauqHbSPQ1r3oIC+e71 # 5s2G3ClZa3y99aYx2lnXYe1srcrIx8NAXTViiypXVn9ZGmEkfNcfDiqGQwkml5z9 # nm3pWiBZ69adaBBbAFEjyJG4y0a76bel/4sDCVvaZzLM3TFbxVO9BQrjZRtbJZbk # C3XArpLqZSfx53SuYdddxPX8pvcqFuEu8wcUeD05t9xNbJ4TtdAECJlEi0vvBxlm # M5tzFXy2qZeqPMXHSQYqPgZ9jvScZ6NwznFD0+33kbzyhOSz/WuGbAu4cHZG8gKn # lQVT4uA2Diex9DMs2WHiokNknYlLoUeWXW1QrJLpqO82TLyKTbBM/oZHAdIc0kzo # STro9b3+vjn2809D0+SOOCVZMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGgkwghoFAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAASFXpnsDlkvzdcAAAAABIUwDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIE3deUGkMCuLVTyqo0UmwUB5 # OAmmnDDYQftQmPL4FzOSMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAIWN3VmxIvY3/OUk8kSoy0Lxq0DQShxpCAXd1/KA7YDhoH1QzDAvfh6BN # oIU+R6o0YQ5CP9nlvhPR3ti5U9frUHVdpo21wkIvQUs/xyERuetWC+6T5BFM5XQV # lDylp0Jac5VYyX6cjgt3LT4iagxpN2n8mafByCX86K1iE4me7qXLP922jM+zR/cv # xRu/+sDIdlKy2Gs9z7xlOoc/ar5OGa3ZVKg44/tem5LRkUOFBPwEvm/pN0SLBAJE # F5IethHRSLWoghnf/SUr855LUyVbLVM2TsI6ZXqubfS2JPh0LFjiQXgS7V9FLHWy # mSgAcN5OGrpmUGsvP56dydWNFjmeFKGCF5MwghePBgorBgEEAYI3AwMBMYIXfzCC # F3sGCSqGSIb3DQEHAqCCF2wwghdoAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsq # hkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCAroXq1PVOVF29yzo1nZCiQ9rrl5omGEq/qid4e56+CoQIGaTqxd7Ld # GBIyMDI2MDEwODAzMDIzNS44M1owBIACAfSggdGkgc4wgcsxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy # aWNhIE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjpBNDAwLTA1 # RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCC # EeowggcgMIIFCKADAgECAhMzAAACAnlQdCEUfbihAAEAAAICMA0GCSqGSIb3DQEB # CwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTI1MDEzMDE5NDI0 # NFoXDTI2MDQyMjE5NDI0NFowgcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMx # JzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjpBNDAwLTA1RTAtRDk0NzElMCMGA1UE # AxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEB # BQADggIPADCCAgoCggIBALd5Knpy5xQY6Rw+Di8pYol8RB6yErZkGxhTW0Na9C7o # v2Wn52eqtqMh014fUc3ejPeKIagla43YdU1mRw63fxpYZ5szSBRQ60+O4uG47l3r # tilCwcEkBaFy978xV2hA+PWeOICNKI6svzEVqsUsjjpEfw14OEA9dwmlafsAjMLI # iNk5onYNYD7pDA3PCqMGAil/WFYXCoe88R53LSei1du1Z9P28JIv2x0Mror8cf0e # xpjnAuZRQHtJ+4sajU5YSbownIbaOLGqL03JGjKl0Xx1HKNbEpGXYnHC9t62UNOK # jrpeWJM5ySrZGAz5mhxkRvoSg5213RcqHcvPHb0CEfGWT7p4jBq+Udi44tkMqh08 # 5U3qPUgn1uuiVjqZluhDnU6p7mcQzmH9YlfbwYtmKgSQk3yo57k/k/ZjH0eg6ou6 # BfTSoLPGrgEObzEfzkcrG8oI7kqKSilpEYa1CVeMPK6wxaWsdzJK3noOEvh1xWef # t0W8vnTO9CUVkyFWh6FZJCSRa5SUIKog6tN7tFuadt0miwf7uUL6fneCcrLg6hnO # 5R6rMKdIHUk1c8qcmiM/cN7nHCymLm1S9AU1+V8ZOyNmBACAMF2D8M7RMaAtEMq9 # lAJnmoi5elBHKDfvJznV73nPxTabKxTRedKlZ6KAeqTI4C0N9wimrka/sdX51rZH # AgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQU2ga5tQ+M/Z/yJ+Qgq/DLWuVIdNkwHwYD # VR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZO # aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIw # VGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBc # BggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0 # cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYD # VR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMC # B4AwDQYJKoZIhvcNAQELBQADggIBAIPzdoVBTE3fseQ6gkMzWZocVlVQZypNBw+c # 4PpShhEyYMq/QZpseUTzYBiAs+5WW6Sfse0k8XbPSOdOAB9EyfbokUs8bs79dsor # bmGsE8nfSUG7CMBNW3nxQDUFajuWyafKu6v/qHwAXOtfKte2W/NBippFhj2TRQVj # kYz6f1hoQQrYPbrx75r4cOZZ761gvYf707hDUxAtqD5yI3AuSP/5CXGleJai70q8 # A/S0iT58fwXfDDlU5OL1pn36o+OzPDfUfid22K8FlofmzlugmYfYlu0y5/bLuFJ0 # l0TRRbYHQURk8siZ6aUqGyUk1WoQ7tE+CXtzzVC5VI7nx9+mZvC1LGFisRLdWw+C # Vef04MXsOqY8wb8bKwHij9CSk1Sr7BLts5FM3Oocy0f6it3ZhKZr7VvJYGv+LMgq # CA4J0TNpkN/KbXYYzprhL4jLoBQinv8oikCZ9Z9etwwrtXsQHPGh7OQtEQRYjhe0 # /CkQGe05rWgMfdn/51HGzEvS+DJruM1+s7uiLNMCWf/ZkFgH2KhR6huPkAYvjmba # ZwpKTscTnNRF5WQgulgoFDn5f/yMU7X+lnKrNB4jX+gn9EuiJzVKJ4td8RP0RZkg # GNkxnzjqYNunXKcr1Rs2IKNLCZMXnT1if0zjtVCzGy/WiVC7nWtVUeRI2b6tOsvA # rW2+G/SZMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG # 9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO # BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy # MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw # MTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt # ZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az # /1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V2 # 9YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oa # ezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkN # yjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7K # MtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRf # NN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SU # HDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoY # WmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5 # C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8 # FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TAS # BgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1 # Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUw # UzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNy # b3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoG # CCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIB # hjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fO # mhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9w # a2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggr # BgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3 # DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEz # tTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJW # AAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G # 82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/Aye # ixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI9 # 5ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1j # dEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZ # KCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xB # Zj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuP # Ntq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvp # e784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCA00w # ggI1AgEBMIH5oYHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScw # JQYDVQQLEx5uU2hpZWxkIFRTUyBFU046QTQwMC0wNUUwLUQ5NDcxJTAjBgNVBAMT # HE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAEmJ # SGkJYD/df+NnIjLTJ7pEnAvOoIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwDQYJKoZIhvcNAQELBQACBQDtCW5hMCIYDzIwMjYwMTA3MjM0NDMz # WhgPMjAyNjAxMDgyMzQ0MzNaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAO0JbmEC # AQAwBwIBAAICHlIwBwIBAAICEwQwCgIFAO0Kv+ECAQAwNgYKKwYBBAGEWQoEAjEo # MCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG # 9w0BAQsFAAOCAQEAW+BznjH+xPvE8N9A4qS1m0wfZse+1tUh9NGyiLqZcJnkUTfS # RPGixHjkqHkEv7GvoKRykvekcu9LZYYk4k6vJsQWgPgwq6Ha905vMpkbsmiC755+ # Sw1nkOof14tqbVRcjkAHFGG+MEofmL18ykx9gyHo85MOFhb0DxosIvb5+udU/z2U # hqA/0TQTSmOuYHXVew47okM/3CHJJ03kZMwx2tvtkQiys5t6mMhCt/VnrA/E/OEy # PmWj9Wr68+rH4cy6mqkf19SzEY0NPaoh/2zo7H9gEtLgNvApHqZPEpeTNQe792BP # D/O479nRWkRVfGurbnbkVtt/k5/bnMOPZEvdajGCBA0wggQJAgEBMIGTMHwxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv # c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAACAnlQdCEUfbihAAEAAAICMA0G # CWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJ # KoZIhvcNAQkEMSIEIL/dczzIa1RYFyAOh9yxqto5PO7oPWpjsppdoLAFcnKpMIH6 # BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQg843qARgHlsvNcta5SYvxl3zFcCyp # eSx50XKiV8yUX+wwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx # MAITMwAAAgJ5UHQhFH24oQABAAACAjAiBCC/U+u0mrFNP9d3RD/6cif8vi0OXVKl # NZjc1Fh6M6ZTmTANBgkqhkiG9w0BAQsFAASCAgAJfQCz1Wbd01HQpUKEORqft1FW # KjlNP4KhTvs3x5oIfvJPpq7718aL5qB2oSrFwb1Qy2FpQQ7ltp7/XNCEi/BWyjeU # Bhw1YFMC7MUXqyIeoTr2IlUQTMcoAv0KWYsP6pByS+dxvhXEJccq4ildaP+kdhR8 # hBmJemG85yKMsKu10P/WvPegd5/xWzMkitSFFH4jpQsNqvPFEAl0rn8gYminwlDt # iPQaJPc4E6AAURLa9jsXHAGvc22+X8RNoxry5TqF0Uti9ssLiCOrFaly5UzEBRZj # sCn0gLIGhxn/cQ8Y+1q8bYfdOMeMa+cwjnasQkwYNq3nyKS0aHpu9ZaaOitnU4S6 # iphnJU9ISiN6d2Z6NC+EDdva1di1ZKY9d56LslfEy/yGU41M2HP45cwZR0ex9FHB # SU13VfQEb9E5whMauVOs5PZz0mRemXmQE58HsvfqxMfSyHH/kRftMEpUIdYaL9io # fWkN19a98iaLO0H9bR4c4xzHysCWLcef793Q3uu9C0Y6v5NwQeavfGnli6OiKQx3 # nEPt0EpkpC0mDQCBuSFKpgVpYVVH1+SCjFtcJnMbxPUNQ4kgxeGpqasdldkZlnf9 # tXTCqb+tSJHv7vJn7LuF7Kmld9SVuJ/N8YgxJTGpvrhx3a2kiQBsRS8KLcTL/lth # XKNbc+bKd2sn6ndAww== # SIG # End signature block |