azure.networksecuritygroup

Network Security Group Resource

example

This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups

policies:
 - name: close-inbound-except-22-24
   resource: azure.networksecuritygroup
   filters:
    - type: ingress
      exceptPorts: '22-24'
      match: 'any'
      access: 'Allow'
   actions:
    - type: close
      exceptPorts: '22-24'
      direction: 'Inbound'
example

This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443

policies:
  - name: close-egress-except-TCP
    resource: azure.networksecuritygroup
    filters:
     - type: ingress
       ports: '80'
       access: 'Allow'
     - type: ingress
       ports: '443'
       access: 'Deny'
    actions:
     - type: open
       ports: '443'

Filters

egress

Filter Network Security Groups using opened/closed ports configuration

properties:
  access:
    enum:
    - Allow
    - Deny
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - TCP
    - UDP
    - '*'
    type: string
  match:
    enum:
    - all
    - any
    type: string
  ports:
    type: string
  type:
    enum:
    - egress
required:
- type

ingress

Filter Network Security Groups using opened/closed ports configuration

properties:
  access:
    enum:
    - Allow
    - Deny
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - TCP
    - UDP
    - '*'
    type: string
  match:
    enum:
    - all
    - any
    type: string
  ports:
    type: string
  type:
    enum:
    - ingress
required:
- type

Actions

close

Deny access to Security Rule

properties:
  direction:
    enum:
    - Inbound
    - Outbound
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - TCP
    - UDP
    - '*'
    type: string
  ports:
    type: string
  type:
    enum:
    - close
required:
- type

open

Allow access to Security Rule

properties:
  direction:
    enum:
    - Inbound
    - Outbound
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - TCP
    - UDP
    - '*'
    type: string
  ports:
    type: string
  type:
    enum:
    - open
required:
- type