Network Security Groups¶
Filters¶
- Standard Value Filter (see Generic Filters)
Model: NetworkSecurityGroup
- ARM Resource Filters (see Generic Filters)
Metric Filter - Filter on metrics from Azure Monitor
Tag Filter - Filter on tag presence and/or values
Marked-For-Op Filter - Filter on tag that indicates a scheduled operation for a resource
ingress
Filter based on Inbound Security Rules- ports: ports to include (0-65535 if not specified)
80, 80-100, 80,90-100
exceptPorts: ports to ignore (empty if not specified)
- match: match operation, filter includes NSGs with all or at least one port from the list.
-Possible values: any, all
ipProtocol: TCP, UDP or *. Default: *
access: Allow, Deny
properties: access: enum: - Allow - Deny type: string exceptPorts: type: string ipProtocol: enum: - TCP - UDP - '*' type: string match: enum: - all - any type: string ports: type: string type: enum: - ingress required: - type
egress
Filter based on Outbound Security Rules- ports: ports to include (0-65535 if not specified)
80, 80-100, 80,90-100
exceptPorts: ports to ignore (empty if not specified)
- match: match operation, filter includes NSGs with all or at least one port from the list.
-Possible values: any, all
ipProtocol: TCP, UDP or *. Default: *
access: Allow, Deny
properties: access: enum: - Allow - Deny type: string exceptPorts: type: string ipProtocol: enum: - TCP - UDP - '*' type: string match: enum: - all - any type: string ports: type: string type: enum: - egress required: - type
Actions¶
ARM Resource Actions (see Generic Actions)
open
Allow access to security rules- ports: ports to include (0-65535 if not specified)
80, 80-100, 80,90-100
exceptPorts: ports to ignore (empty if not specified)
ipProtocol: TCP, UDP or *. Default: *
direction: Inbound, Outbound
access: Allow, Deny
properties: direction: enum: - Inbound - Outbound type: string exceptPorts: type: string ipProtocol: enum: - TCP - UDP - '*' type: string ports: type: string type: enum: - open required: - type
close
Deny access to security rules- ports: ports to include (0-65535 if not specified)
80, 80-100, 80,90-100
exceptPorts: ports to ignore (empty if not specified)
ipProtocol: TCP, UDP or *. Default: *
direction: Inbound, Outbound
access: Allow, Deny
properties: direction: enum: - Inbound - Outbound type: string exceptPorts: type: string ipProtocol: enum: - TCP - UDP - '*' type: string ports: type: string type: enum: - close required: - type
Example Policies¶
This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups
policies:
- name: close-inbound-except-22-24
resource: azure.networksecuritygroup
filters:
- type: ingress
exceptPorts: '22-24'
match: 'any'
access: 'Allow'
actions:
- type: close
exceptPorts: '22-24'
direction: 'Inbound'
This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443
policies:
- name: close-egress-except-TCP
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '80'
access: 'Allow'
- type: ingress
ports: '443'
access: 'Deny'
actions:
- type: open
ports: '443'