Network Security Groups

Filters

  • Standard Value Filter (see Generic Filters)
  • ARM Resource Filters (see Generic Filters)
    • Metric Filter - Filter on metrics from Azure Monitor
    • Tag Filter - Filter on tag presence and/or values
    • Marked-For-Op Filter - Filter on tag that indicates a scheduled operation for a resource
  • ingress Filter based on Inbound Security Rules
    • ports: ports to include (0-65535 if not specified)
      • 80, 80-100, 80,90-100
    • exceptPorts: ports to ignore (empty if not specified)
    • match: match operation, filter includes NSGs with all or at least one port from the list.
      -Possible values: any, all
    • ipProtocol: TCP, UDP or *. Default: *
    • access: Allow, Deny

    Schema:

    {
      "access": {
        "enum": [
          "Allow",
          "Deny"
        ],
        "type": "string"
      },
      "exceptPorts": {
        "type": "string"
      },
      "ipProtocol": {
        "enum": [
          "TCP",
          "UDP",
          "*"
        ],
        "type": "string"
      },
      "match": {
        "enum": [
          "all",
          "any"
        ],
        "type": "string"
      },
      "ports": {
        "type": "string"
      }
    }
    
  • egress Filter based on Outbound Security Rules
    • ports: ports to include (0-65535 if not specified)
      • 80, 80-100, 80,90-100
    • exceptPorts: ports to ignore (empty if not specified)
    • match: match operation, filter includes NSGs with all or at least one port from the list.
      -Possible values: any, all
    • ipProtocol: TCP, UDP or *. Default: *
    • access: Allow, Deny

    Schema:

    {
      "access": {
        "enum": [
          "Allow",
          "Deny"
        ],
        "type": "string"
      },
      "exceptPorts": {
        "type": "string"
      },
      "ipProtocol": {
        "enum": [
          "TCP",
          "UDP",
          "*"
        ],
        "type": "string"
      },
      "match": {
        "enum": [
          "all",
          "any"
        ],
        "type": "string"
      },
      "ports": {
        "type": "string"
      }
    }
    

Actions

  • ARM Resource Actions (see Generic Actions)

  • open Allow access to security rules
    • ports: ports to include (0-65535 if not specified)
      • 80, 80-100, 80,90-100
    • exceptPorts: ports to ignore (empty if not specified)
    • ipProtocol: TCP, UDP or *. Default: *
    • direction: Inbound, Outbound
    • access: Allow, Deny

    Schema:

    {
      "direction": {
        "enum": [
          "Inbound",
          "Outbound"
        ],
        "type": "string"
      },
      "exceptPorts": {
        "type": "string"
      },
      "ipProtocol": {
        "enum": [
          "TCP",
          "UDP",
          "*"
        ],
        "type": "string"
      },
      "ports": {
        "type": "string"
      }
    }
    
  • close Deny access to security rules
    • ports: ports to include (0-65535 if not specified)
      • 80, 80-100, 80,90-100
    • exceptPorts: ports to ignore (empty if not specified)
    • ipProtocol: TCP, UDP or *. Default: *
    • direction: Inbound, Outbound
    • access: Allow, Deny

    Schema:

    {
      "direction": {
        "enum": [
          "Inbound",
          "Outbound"
        ],
        "type": "string"
      },
      "exceptPorts": {
        "type": "string"
      },
      "ipProtocol": {
        "enum": [
          "TCP",
          "UDP",
          "*"
        ],
        "type": "string"
      },
      "ports": {
        "type": "string"
      }
    }
    

Example Policies

This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups

policies:
 - name: close-inbound-except-22-24
   resource: azure.networksecuritygroup
   filters:
    - type: ingress
      exceptPorts: '22-24'
      ports-op: 'any'
      access: 'Allow'
   actions:
    - type: close
      exceptPorts: '22-24'
      direction: 'Inbound'

This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443

policies:
  - name: close-egress-except-TCP
    resource: azure.networksecuritygroup
    filters:
     - type: ingress
       ports: '80'
       access: 'Allow'
     - type: ingress
       ports: '443'
       access: 'Deny'
    actions:
     - type: open
       ports: '443'