azure.networksecuritygroup¶
Network Security Group Resource
- example:
This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups
policies:
- name: close-inbound-except-22-24
resource: azure.networksecuritygroup
filters:
- type: ingress
exceptPorts: '22-24'
match: 'any'
access: 'Allow'
actions:
- type: close
exceptPorts: '22-24'
direction: 'Inbound'
- example:
This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443
policies:
- name: close-egress-except-TCP
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '80'
access: 'Allow'
- type: ingress
ports: '443'
access: 'Deny'
actions:
- type: open
ports: '443'
- example:
This policy will find all NSGs with port 22 opened from ‘Any’ source
policies:
- name: find-ingress-SSH-from-any-source
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '22'
access: 'Allow'
source: '*'
- example:
This policy will find all NSGs with port 8080 enabled to ‘Any’ destination
policies:
- name: find-egress-HTTP-to-any-destination
resource: azure.networksecuritygroup
filters:
- type: egress
ports: '8080'
access: 'Allow'
destination: '*'
Filters¶
egress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
access:
enum:
- Allow
- Deny
type: string
destination:
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
source:
type: string
type:
enum:
- egress
required:
- type
ingress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
access:
enum:
- Allow
- Deny
type: string
destination:
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
source:
type: string
type:
enum:
- ingress
required:
- type
Actions¶
close¶
Deny access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
ports:
type: string
prefix:
maxLength: 44
type: string
type:
enum:
- close
required:
- type
open¶
Allow access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
ports:
type: string
prefix:
maxLength: 44
type: string
type:
enum:
- open
required:
- type