From 983741097db8ceab2eca373237d448cf68668c60 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Fri, 26 Jul 2019 08:47:01 +1000 Subject: [PATCH] Deny all inbound NSG rule #94 #93 #92 #103 (#104) --- .vscode/settings.json | 20 +- CHANGELOG.md | 5 + .../Azure.VirtualNetwork.LateralTraversal.md | 23 ++ .../en-US/Azure.VirtualNetwork.NICAttached.md | 19 ++ .../Azure.VirtualNetwork.NSGAssociated.md | 19 ++ .../Azure.VirtualNetwork.NSGDenyAllInbound.md | 25 ++ docs/rules/en-US/Azure.md | 5 + .../rules/Azure.Common.Rule.ps1 | 8 + .../rules/Azure.VirtualNetwork.Rule.ps1 | 60 +++- .../Azure.VirtualNetwork.Tests.ps1 | 64 ++++ .../Resources.VirtualNetwork.json | 303 ++++++++++++++++++ 11 files changed, 547 insertions(+), 4 deletions(-) create mode 100644 docs/rules/en-US/Azure.VirtualNetwork.LateralTraversal.md create mode 100644 docs/rules/en-US/Azure.VirtualNetwork.NICAttached.md create mode 100644 docs/rules/en-US/Azure.VirtualNetwork.NSGAssociated.md create mode 100644 docs/rules/en-US/Azure.VirtualNetwork.NSGDenyAllInbound.md diff --git a/.vscode/settings.json b/.vscode/settings.json index d19a2943931..cbdd2b8c3e6 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -19,15 +19,29 @@ }, "cSpell.words": [ "Kubernetes", + "NSGs", "OWASP", "RBAC", "SKUs", "VNET", + "VNETs", "cmdlet", "cmdlets", - "NSGs", + "endregion", + "lifecycle", + "nics", + "stateful", "subnet", - "subnets", - "VNETs" + "subnets" + ], + "cSpell.enabledLanguageIds": [ + "csharp", + "git-commit", + "markdown", + "plaintext", + "powershell", + "text", + "yaml", + "yml" ] } diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fd96a9d972..8cb077ea888 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ - Enforce minimum TLS version for App Service. [#99](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/99) - Updated App Service site rules to include slots. [#100](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/100) - `Azure.AppService.ARRAffinity` and `Azure.AppService.UseHTTPS` now run against slots. +- Added rule to detect deny all inbound NSG rule. [#94](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/94) +- Added unused resource rules. + - Network security groups that are not associated. [#93](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/93) + - Unattached network interfaces. [#92](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/92) +- Added NSG rule to check for lateral traversal security rules. [#103](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/103) ## v0.3.0-B190710 (pre-release) diff --git a/docs/rules/en-US/Azure.VirtualNetwork.LateralTraversal.md b/docs/rules/en-US/Azure.VirtualNetwork.LateralTraversal.md new file mode 100644 index 00000000000..e307bf07383 --- /dev/null +++ b/docs/rules/en-US/Azure.VirtualNetwork.LateralTraversal.md @@ -0,0 +1,23 @@ +--- +severity: Important +category: Security configuration +online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualNetwork.LateralTraversal.md +--- + +# Limit lateral traversal + +## SYNOPSIS + +Deny outbound management connections from non-management hosts. + +## DESCRIPTION + +Network Security Groups (NSGs) allow virtual machines to be segmented from each other by enforcing access rules for all traffic in/ out of a virtual machine. + +This micro-segmentation approach provides a control to reduce lateral movement between hosts within Azure, a virtual network or an individual subnet. + +Typically, a subset of trusted hosts such as privileged access workstations, bastion hosts or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked. + +## RECOMMENDATION + +Consider configuring NSGs rules to block outbound management traffic from non-management hosts. diff --git a/docs/rules/en-US/Azure.VirtualNetwork.NICAttached.md b/docs/rules/en-US/Azure.VirtualNetwork.NICAttached.md new file mode 100644 index 00000000000..e4cf4f57dc1 --- /dev/null +++ b/docs/rules/en-US/Azure.VirtualNetwork.NICAttached.md @@ -0,0 +1,19 @@ +--- +severity: Awareness +category: Operations management +online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualNetwork.NICAttached.md +--- + +# Attach NIC or clean up + +## SYNOPSIS + +Network interfaces (NICs) should be attached. + +## DESCRIPTION + +NICs are deployed as resources separate from virtual machines. NICs that are not attached to a virtual machine perform no purpose. + +## RECOMMENDATION + +Consider cleaning up NICs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together. diff --git a/docs/rules/en-US/Azure.VirtualNetwork.NSGAssociated.md b/docs/rules/en-US/Azure.VirtualNetwork.NSGAssociated.md new file mode 100644 index 00000000000..ec987dfe51c --- /dev/null +++ b/docs/rules/en-US/Azure.VirtualNetwork.NSGAssociated.md @@ -0,0 +1,19 @@ +--- +severity: Awareness +category: Operations management +online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualNetwork.NSGAssociated.md +--- + +# Associate NSGs or clean up + +## SYNOPSIS + +Network Security Groups (NSGs) should be associated. + +## DESCRIPTION + +NSGs basic stateful firewalls that are deployed as separate resources and can be associated to network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose. + +## RECOMMENDATION + +Consider cleaning up NSGs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together. diff --git a/docs/rules/en-US/Azure.VirtualNetwork.NSGDenyAllInbound.md b/docs/rules/en-US/Azure.VirtualNetwork.NSGDenyAllInbound.md new file mode 100644 index 00000000000..5c9bfd9f4b0 --- /dev/null +++ b/docs/rules/en-US/Azure.VirtualNetwork.NSGDenyAllInbound.md @@ -0,0 +1,25 @@ +--- +severity: Important +category: Reliability +online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualNetwork.NSGDenyAllInbound.md +--- + +# Avoid denying all inbound traffic + +## SYNOPSIS + +Avoid denying all inbound traffic. + +## DESCRIPTION + +Network Security Groups can be configured to block all network traffic inbound to a virtual machine. + +Blocking all inbound traffic into a virtual machine will fail load balancer health probes and other required traffic. + +Inbound network traffic can be whitelisted by including allow rules above deny all inbound rule by specifying a lower priority number. Rules with a lower priority number will be process first. + +## RECOMMENDATION + +Deny all inbound rules should not use priority 100. The lowest configurable priority is 100, meaning that whitelisted network traffic rules can not be placed before the deny all. + +Consider whitelisting inbound network traffic as required. diff --git a/docs/rules/en-US/Azure.md b/docs/rules/en-US/Azure.md index 9ef4d1004c5..858fb5770dc 100644 --- a/docs/rules/en-US/Azure.md +++ b/docs/rules/en-US/Azure.md @@ -11,6 +11,7 @@ RuleName | Description | Category [Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Performance [Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Performance [Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Use HTTPS only. Disable HTTP when not required. | Security configuration +[Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older then 1.2. | Security configuration [Azure.DataFactory.Version](Azure.DataFactory.Version.md) | Consider migrating to DataFactory v2. | Operations management [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Security configuration [Azure.MySQL.FirewallRuleCount](Azure.MySQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Operations management @@ -52,6 +53,9 @@ RuleName | Description | Category [Azure.VirtualNetwork.SingleDNS](Azure.VirtualNetwork.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Reliability [Azure.VirtualNetwork.LocalDNS](Azure.VirtualNetwork.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Reliability [Azure.VirtualNetwork.NSGAnyInboundSource](Azure.VirtualNetwork.NSGAnyInboundSource.md) | Network security groups should avoid any inbound rules. | Security configuration +[Azure.VirtualNetwork.NSGDenyAllInbound](Azure.VirtualNetwork.NSGDenyAllInbound.md) | Avoid denying all inbound traffic. | Reliability +[Azure.VirtualNetwork.LateralTraversal](Azure.VirtualNetwork.LateralTraversal.md) | Deny outbound management connections from non-management hosts. | Security configuration +[Azure.VirtualNetwork.NSGAssociated](Azure.VirtualNetwork.NSGAssociated.md) | Network Security Groups (NSGs) should be associated. | Operations management [Azure.VirtualNetwork.AppGwMinInstance](Azure.VirtualNetwork.AppGwMinInstance.md) | Application Gateways should use a minimum of two instances. | Reliability [Azure.VirtualNetwork.AppGwMinSku](Azure.VirtualNetwork.AppGwMinSku.md) | Application Gateway should use a minimum instance size of Medium. | Performance [Azure.VirtualNetwork.AppGwUseWAF](Azure.VirtualNetwork.AppGwUseWAF.md) | Internet accessible Application Gateways should use WAF. | Security configuration @@ -60,3 +64,4 @@ RuleName | Description | Category [Azure.VirtualNetwork.AppGwWAFEnabled](Azure.VirtualNetwork.AppGwWAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Security configuration [Azure.VirtualNetwork.AppGwOWASP](Azure.VirtualNetwork.AppGwOWASP.md) | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | Security configuration [Azure.VirtualNetwork.AppGwWAFRules](Azure.VirtualNetwork.AppGwWAFRules.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Security configuration +[Azure.VirtualNetwork.NICAttached](Azure.VirtualNetwork.NICAttached.md) | Network interfaces (NICs) should be attached. | Operations management diff --git a/src/PSRule.Rules.Azure/rules/Azure.Common.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Common.Rule.ps1 index d8641ff0444..cca4c9080f6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Common.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Common.Rule.ps1 @@ -32,6 +32,14 @@ function global:IsExport { } } +# Get a sorted list of NSG rules +function global:GetOrderedNSGRules { + param () + process { + $TargetObject.properties.securityRules | Sort-Object @{ Expression = { $_.Properties.priority }; Descending = $False } + } +} + function global:SupportsAcceleratedNetworking { process { if ($TargetObject.ResourceType -ne 'Microsoft.Compute/virtualMachines' -or !(IsExport)) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.VirtualNetwork.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VirtualNetwork.Rule.ps1 index ce567acc8af..f6c8aa8ae91 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VirtualNetwork.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VirtualNetwork.Rule.ps1 @@ -2,6 +2,8 @@ # Validation rules for virtual networking # +#region Virtual Network + # Synopsis: Subnets should have NSGs assigned, except for the GatewaySubnet Rule 'Azure.VirtualNetwork.UseNSGs' -If { ResourceType 'Microsoft.Network/virtualNetworks' } -Tag @{ severity = 'Critical'; category = 'Security configuration' } { Recommend 'Subnets should have NSGs assigned' @@ -21,7 +23,7 @@ Rule 'Azure.VirtualNetwork.UseNSGs' -If { ResourceType 'Microsoft.Network/virtua # Synopsis: VNETs should have at least two DNS servers assigned Rule 'Azure.VirtualNetwork.SingleDNS' -If { ResourceType 'Microsoft.Network/virtualNetworks' } -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } { - # If DNS servers are customsied, at least two IP addresses should be defined + # If DNS servers are customized, at least two IP addresses should be defined if (!(Exists 'properties.dhcpOptions.dnsServers') -or ($TargetObject.properties.dhcpOptions.dnsServers.Count -eq 0)) { $True; } @@ -50,6 +52,10 @@ Rule 'Azure.VirtualNetwork.LocalDNS' -If { ResourceType 'Microsoft.Network/virtu } } +#endregion Virtual Network + +#region Network Security Group + # Synopsis: Network security groups should avoid any inbound rules Rule 'Azure.VirtualNetwork.NSGAnyInboundSource' -If { ResourceType 'Microsoft.Network/networkSecurityGroups' } -Tag @{ severity = 'Critical'; category = 'Security configuration' } { Recommend 'Avoid rules that apply to all source addresses' @@ -63,6 +69,47 @@ Rule 'Azure.VirtualNetwork.NSGAnyInboundSource' -If { ResourceType 'Microsoft.Ne $Null -eq $rules; } +# Synopsis: Avoid blocking all inbound network traffic +Rule 'Azure.VirtualNetwork.NSGDenyAllInbound' -If { ResourceType 'Microsoft.Network/networkSecurityGroups' } { + $denyRules = @(GetOrderedNSGRules | Where-Object { + $_.properties.direction -eq 'Inbound' -and + $_.properties.access -eq 'Deny' -and + $_.properties.sourceAddressPrefix -eq '*' + }) + $inboundRules = @(GetOrderedNSGRules | Where-Object { + $_.properties.direction -eq 'Inbound' + }) + + $Null -eq $denyRules -or $denyRules.Length -eq 0 -or $denyRules[0].name -ne $inboundRules[0].name +} + +# Synopsis: Lateral traversal from application servers should be blocked +Rule 'Azure.VirtualNetwork.LateralTraversal' -If { ResourceType 'Microsoft.Network/networkSecurityGroups' } { + $rules = @($TargetObject.properties.securityRules | Where-Object { + $_.properties.direction -eq 'Outbound' -and + $_.properties.access -eq 'Deny' -and + ( + $_.properties.destinationPortRange -eq '3389' -or + $_.properties.destinationPortRange -eq '22' + ) + }) + + $Null -ne $rules -and $rules.Length -gt 0 +} + +# Synopsis: Network security groups should be associated to either a subnet or network interface +Rule 'Azure.VirtualNetwork.NSGAssociated' -If { ResourceType 'Microsoft.Network/networkSecurityGroups' } { + $subnets = ($TargetObject.Properties.subnets | Measure-Object).Count; + $interfaces = ($TargetObject.Properties.networkInterfaces | Measure-Object).Count; + + # NSG should be associated to either a subnet or network interface + $subnets -gt 0 -or $interfaces -gt 0 +} + +#endregion Network Security Group + +#region Application Gateway + # Synopsis: Application Gateway should use a minimum of two instances Rule 'Azure.VirtualNetwork.AppGwMinInstance' -If { ResourceType 'Microsoft.Network/applicationGateways' } -Tag @{ severity = 'Important'; category = 'Reliability' } { AnyOf { @@ -114,3 +161,14 @@ Rule 'Azure.VirtualNetwork.AppGwWAFRules' -If { (IsAppGwWAF) } { $disabledRules = @($TargetObject.Properties.webApplicationFirewallConfiguration.disabledRuleGroups) $disabledRules.Count -eq 0 } + +#endregion Application Gateway + +#region Network Interface + +# Synopsis: Network interfaces should be attached +Rule 'Azure.VirtualNetwork.NICAttached' -If { ResourceType 'Microsoft.Network/networkInterfaces' } { + Exists 'Properties.virtualMachine.id' +} + +#endregion Network Interface diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.VirtualNetwork.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.VirtualNetwork.Tests.ps1 index 2303ba68771..438b5008306 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.VirtualNetwork.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.VirtualNetwork.Tests.ps1 @@ -83,6 +83,54 @@ Describe 'Azure.VirtualNetwork' -Tag 'Network' { $ruleResult.Length | Should -Be 1; $ruleResult.TargetName | Should -Be 'nsg-B'; + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -Be 'nsg-A', 'nsg-C'; + } + + It 'Azure.VirtualNetwork.NSGDenyAllInbound' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualNetwork.NSGDenyAllInbound' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'nsg-C'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -Be 'nsg-A', 'nsg-B'; + } + + It 'Azure.VirtualNetwork.LateralTraversal' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualNetwork.LateralTraversal' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'nsg-C'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'nsg-A', 'nsg-B'; + } + + It 'Azure.VirtualNetwork.NSGAssociated' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualNetwork.NSGAssociated' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -Be 'nsg-B', 'nsg-C'; + # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; @@ -217,5 +265,21 @@ Describe 'Azure.VirtualNetwork' -Tag 'Network' { $ruleResult.Length | Should -Be 1; $ruleResult.TargetName | Should -Be 'appgw-A'; } + + It 'Azure.VirtualNetwork.NICAttached' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualNetwork.NICAttached' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'nic-B'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'nic-A'; + } } } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json b/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json index 883b4b9a737..5a82c037e10 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json @@ -935,6 +935,208 @@ "Tags": null, "SubscriptionId": "00000000-0000-0000-0000-000000000000" }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C", + "Location": "region", + "ResourceName": "nsg-C", + "Name": "nsg-C", + "Properties": { + "securityRules": [ + { + "name": "allow-dc-to-dc-inbound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/securityRules/allow-dc-to-dc-inbound", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 300, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [ + "10.1.0.32/28", + "10.2.0.32/28", + "10.3.0.32/28" + ], + "destinationAddressPrefixes": [] + } + }, + { + "name": "deny-all-inbound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/securityRules/allow-rdp-inbound", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Deny", + "priority": 200, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefix": "*", + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "allow-dc-to-dc-outbound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/securityRules/allow-dc-to-dc-outbound", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 300, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [ + "10.1.0.32/28", + "10.2.0.32/28", + "10.3.0.32/28" + ] + } + } + ], + "defaultSecurityRules": [ + { + "name": "AllowVnetInBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/AllowVnetInBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Allow inbound traffic from all VMs in VNET", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 65000, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "AllowAzureLoadBalancerInBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/AllowAzureLoadBalancerInBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Allow inbound traffic from azure load balancer", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "AzureLoadBalancer", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 65001, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "DenyAllInBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/DenyAllInBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Deny all inbound traffic", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 65500, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "AllowVnetOutBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/AllowVnetOutBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Allow outbound traffic from all VMs to all VMs in VNET", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 65000, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "AllowInternetOutBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/AllowInternetOutBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Allow outbound traffic from all VMs to Internet", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "Internet", + "access": "Allow", + "priority": 65001, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "DenyAllOutBound", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-C/defaultSecurityRules/DenyAllOutBound", + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules", + "properties": { + "description": "Deny all outbound traffic", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 65500, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ], + "networkInterfaces": [] + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.Network/networkSecurityGroups", + "ResourceType": "Microsoft.Network/networkSecurityGroups", + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, { "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/appgw-A", "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/appgw-A", @@ -1481,5 +1683,106 @@ "ResourceType": "Microsoft.Network/applicationGateways", "Tags": null, "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-A", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-A", + "Location": "region", + "ResourceName": "nic-A", + "Name": "nic-A", + "Properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-A/ipConfigurations/ipconfig1", + "type": "Microsoft.Network/networkInterfaces/ipConfigurations", + "properties": { + "provisioningState": "Succeeded", + "privateIPAddress": "10.0.0.4", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/publicIPAddresses/nic-A-pip" + }, + "subnet": { + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A" + }, + "primary": true, + "privateIPAddressVersion": "IPv4" + } + } + ], + "dnsSettings": { + "dnsServers": [ + "8.8.8.8" + ], + "appliedDnsServers": [ + "8.8.8.8" + ], + "internalDomainNameSuffix": "example.nn.internal.cloudapp.net" + }, + "macAddress": "00-00-00-00-00-00", + "enableAcceleratedNetworking": false, + "enableIPForwarding": false, + "primary": true, + "virtualMachine": { + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Compute/virtualMachines/vm-A" + }, + "hostedWorkloads": [], + "tapConfigurations": [] + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.Network/networkInterfaces", + "ResourceType": "Microsoft.Network/networkInterfaces", + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-B", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-B", + "Location": "region", + "ResourceName": "nic-B", + "Name": "nic-B", + "Properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkInterfaces/nic-B/ipConfigurations/ipconfig1", + "type": "Microsoft.Network/networkInterfaces/ipConfigurations", + "properties": { + "provisioningState": "Succeeded", + "privateIPAddress": "10.0.0.5", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/publicIPAddresses/nic-B-pip" + }, + "subnet": { + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A" + }, + "primary": true, + "privateIPAddressVersion": "IPv4" + } + } + ], + "dnsSettings": { + "dnsServers": [ + "8.8.8.8" + ], + "appliedDnsServers": [ + "8.8.8.8" + ], + "internalDomainNameSuffix": "example.nn.internal.cloudapp.net" + }, + "macAddress": "00-00-00-00-00-00", + "enableAcceleratedNetworking": false, + "enableIPForwarding": false, + "primary": true, + "hostedWorkloads": [], + "tapConfigurations": [] + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.Network/networkInterfaces", + "ResourceType": "Microsoft.Network/networkInterfaces", + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" } ]