Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1464Benchmarks
449Queries
2Variables
GitHub

Control: 2.2.1.2 Ensure Network Access Rules are set to Deny-by-default

Overview

Restricting default network access provides a foundational level of security to networked resources. To limit access to selected networks, the default action must be changed.

Resources using Virtual Network interfaces should be configured to deny-by-default all access from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. If necessary, access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients.

For all traffic inbound from- and outbound to- the internet, a NAT Gateway is recommended at minimum, and ideally all traffic flows through a security gateway device such as a firewall. Security gateway devices will provide an additional level of visibility to inbound and outbound traffic and usually perform advanced monitoring and response activity such as intrusion detection and prevention (IDP), and deep packet inspection (DPI) which help detect activity indicating vulnerabilities and threats.

Default Value

By default, interfaces attached to virtual networks will accept connections from clients on any network and have a default outbound access rule which allows access to the internet.

The default outbound access rule is scheduled for retirement on September 30th, 2025: https://azure.microsoft.com/en-us/updates?id=default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_2_2_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_2_2_1_2 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when sa.network_rule_default_action = 'Allow' then 'alarm'
    else 'ok'
  end as status,
  case
    when sa.network_rule_default_action = 'Allow' then name || ' allows traffic from all networks.'
    else name || ' allows traffic from specific networks.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.2.1.2
cis_level = 1
cis_section_id = 2.2.1
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/General