azure.mgmt.network resources¶
azure.loadbalancer¶
Load Balancer Resource
- example
This policy will filter load balancers with an ipv6 frontend public IP
policies:
- name: loadbalancer-with-ipv6-frontend
resource: azure.loadbalancer
filters:
- type: frontend-public-ip
key: properties.publicIPAddressVersion
op: in
value_type: normalize
value: "ipv6"
- example
This policy will find all load balancers with 1000 or less transmitted packets over the last 72 hours
policies:
- name: notify-inactive-loadbalancer
resource: azure.loadbalancer
filters:
- type: metric
metric: PacketCount
op: le
aggregation: total
threshold: 1000
timeframe: 72
Filters¶
frontend-public-ip¶
Filters load balancers by frontend public ip.
- example
policies: - name: loadbalancer-with-ipv6-frontend resource: azure.loadbalancer filters: - type: frontend-public-ip key: properties.publicIPAddressVersion op: in value_type: normalize value: "ipv6"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- frontend-public-ip
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
azure.networkinterface¶
Network Interface Resource
- example
This policy will get Network Interfaces that have User added routes.
policies:
- name: get-nic-with-user-routes
resource: azure.networkinterface
filters:
- type: effective-route-table
key: routes.value[].source
op: in
value_type: swap
value: User
Filters¶
effective-route-table¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- effective-route-table
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
azure.networksecuritygroup¶
Network Security Group Resource
- example
This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups
policies:
- name: close-inbound-except-22-24
resource: azure.networksecuritygroup
filters:
- type: ingress
exceptPorts: '22-24'
match: 'any'
access: 'Allow'
actions:
- type: close
exceptPorts: '22-24'
direction: 'Inbound'
- example
This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443
policies:
- name: close-egress-except-TCP
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '80'
access: 'Allow'
- type: ingress
ports: '443'
access: 'Deny'
actions:
- type: open
ports: '443'
Filters¶
egress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
access:
enum:
- Allow
- Deny
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
type:
enum:
- egress
required:
- type
ingress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
access:
enum:
- Allow
- Deny
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
type:
enum:
- ingress
required:
- type
Actions¶
close¶
Deny access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- TCP
- UDP
- '*'
type: string
ports:
type: string
type:
enum:
- close
required:
- type
open¶
Allow access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- TCP
- UDP
- '*'
type: string
ports:
type: string
type:
enum:
- open
required:
- type
azure.publicip¶
Public IP Resource
- example
Finds all Public IPs in the subscription.
policies:
- name: find-all-public-ips
resource: azure.publicip
Filters¶
azure.routetable¶
Route Table Resource
- example
Finds all Route Tables in the subscription.
policies:
- name: find-all-route-tables
resource: azure.routetable
Filters¶
azure.vnet¶
Virtual Networks Resource
- example
This set of policies will find all Virtual Networks that do not have DDOS protection enabled.
policies:
- name: find-vnets-ddos-protection-disabled
resource: azure.vnet
filters:
- type: value
key: properties.enableDdosProtection
op: equal
value: False