Network Security Groups

Filters

• Standard Value Filter (see Generic Filters)

  • Model: NetworkSecurityGroup

• ARM Resource Filters (see Generic Filters)

  • Metric Filter - Filter on metrics from Azure Monitor

  • Tag Filter - Filter on tag presence and/or values

  • Marked-For-Op Filter - Filter on tag that indicates a scheduled operation for a resource

• ingress Filter based on Inbound Security Rules

  • ports: ports to include (0-65535 if not specified)

    • 80, 80-100, 80,90-100

  • exceptPorts: ports to ignore (empty if not specified)

  • match: match operation, filter includes NSGs with all or at least one port from the list.

    -Possible values: any, all

  • ipProtocol: TCP, UDP or *. Default: *

  • access: Allow, Deny

  properties:
    access:
      enum:
      - Allow
      - Deny
      type: string
    exceptPorts:
      type: string
    ipProtocol:
      enum:
      - TCP
      - UDP
      - '*'
      type: string
    match:
      enum:
      - all
      - any
      type: string
    ports:
      type: string
    type:
      enum:
      - ingress
  required:
  - type
  

• egress Filter based on Outbound Security Rules

  • ports: ports to include (0-65535 if not specified)

    • 80, 80-100, 80,90-100

  • exceptPorts: ports to ignore (empty if not specified)

  • match: match operation, filter includes NSGs with all or at least one port from the list.

    -Possible values: any, all

  • ipProtocol: TCP, UDP or *. Default: *

  • access: Allow, Deny

  properties:
    access:
      enum:
      - Allow
      - Deny
      type: string
    exceptPorts:
      type: string
    ipProtocol:
      enum:
      - TCP
      - UDP
      - '*'
      type: string
    match:
      enum:
      - all
      - any
      type: string
    ports:
      type: string
    type:
      enum:
      - egress
  required:
  - type
  

Actions

• ARM Resource Actions (see Generic Actions)

• open Allow access to security rules

  • ports: ports to include (0-65535 if not specified)

    • 80, 80-100, 80,90-100

  • exceptPorts: ports to ignore (empty if not specified)

  • ipProtocol: TCP, UDP or *. Default: *

  • direction: Inbound, Outbound

  • access: Allow, Deny

  properties:
    direction:
      enum:
      - Inbound
      - Outbound
      type: string
    exceptPorts:
      type: string
    ipProtocol:
      enum:
      - TCP
      - UDP
      - '*'
      type: string
    ports:
      type: string
    type:
      enum:
      - open
  required:
  - type
  

• close Deny access to security rules

  • ports: ports to include (0-65535 if not specified)

    • 80, 80-100, 80,90-100

  • exceptPorts: ports to ignore (empty if not specified)

  • ipProtocol: TCP, UDP or *. Default: *

  • direction: Inbound, Outbound

  • access: Allow, Deny

  properties:
    direction:
      enum:
      - Inbound
      - Outbound
      type: string
    exceptPorts:
      type: string
    ipProtocol:
      enum:
      - TCP
      - UDP
      - '*'
      type: string
    ports:
      type: string
    type:
      enum:
      - close
  required:
  - type
  

Example Policies

This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups

policies:
 - name: close-inbound-except-22-24
   resource: azure.networksecuritygroup
   filters:
    - type: ingress
      exceptPorts: '22-24'
      match: 'any'
      access: 'Allow'
   actions:
    - type: close
      exceptPorts: '22-24'
      direction: 'Inbound'

This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443

policies:
  - name: close-egress-except-TCP
    resource: azure.networksecuritygroup
    filters:
     - type: ingress
       ports: '80'
       access: 'Allow'
     - type: ingress
       ports: '443'
       access: 'Deny'
    actions:
     - type: open
       ports: '443'