Benchmark: Network
Description
This section contains recommendations for configuring Network resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Network.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_networkSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_network --shareControls
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should use the specified mode for Application Gateway
- Ensure an Azure Bastion Host exists
- Azure DDoS Protection Standard should be enabled
- Network load balancers should use standard SKUs as a minimum
- Virtual network network peering should be in connected state
- Network public IPs should use standard SKUs as a minimum
- Deploy Diagnostic Settings for Network Security Groups
- Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Gateway subnets should not be configured with a network security group
- Network security groups should restrict outbound access from internet
- Windows machines should meet requirements for 'User Rights Assignment'
- Management ports should be closed on your virtual machines
- Network security groups should restrict inbound ICMP port access from internet
- Network security groups should restrict inbound TCP port 135 access from internet
- Network security groups should restrict inbound TCP port 1433 access from internet
- Network security groups should restrict inbound TCP port 20 access from internet
- Network security groups should restrict inbound TCP port 21 access from internet
- Network security groups should restrict inbound TCP port 23 access from internet
- Network security groups should restrict inbound TCP port 25 access from internet
- Network security groups should restrict inbound TCP port 3306 access from internet
- Network security groups should restrict inbound TCP port 4333 access from internet
- Network security groups should restrict inbound TCP port 445 access from internet
- Network security groups should restrict inbound TCP port 53 access from internet
- Network security groups should restrict inbound TCP port 5432 access from internet
- Network security groups should restrict inbound TCP port 5500 access from internet
- Network security groups should restrict inbound TCP port 5900 access from internet
- Network security groups should restrict inbound UDP port 137 access from internet
- Network security groups should restrict inbound UDP port 137 access from internet
- Network security groups should restrict inbound UDP port 1434 access from internet
- Network security groups should restrict inbound UDP port 445 access from internet
- Network security groups should restrict inbound UDP port 53 access from internet
- Ensure that SSH access is restricted from the internet
- Subnets should be associated with a Network Security Group
- Ensure that UDP Services are restricted from the Internet
- Flow logs should be configured for every network security group
- Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Virtual network gateways should use standard SKUs as a minimum
- Network Watcher should be enabled
- All flow log resources should be in enabled state
- Network Watcher flow logs should have traffic analytics enabled
- Deploy network watcher when virtual networks are created