Benchmark: 2.2.1.2 Ensure Network Access Rules are set to Deny-by-default
Overview
Restricting default network access provides a foundational level of security to networked resources. To limit access to selected networks, the default action must be changed.
Resources using Virtual Network interfaces should be configured to deny-by-default all access from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. If necessary, access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients.
For all traffic inbound from- and outbound to- the internet, a NAT Gateway is recommended at minimum, and ideally all traffic flows through a security gateway device such as a firewall. Security gateway devices will provide an additional level of visibility to inbound and outbound traffic and usually perform advanced monitoring and response activity such as intrusion detection and prevention (IDP), and deep packet inspection (DPI) which help detect activity indicating vulnerabilities and threats.
Default Value
By default, interfaces attached to virtual networks will accept connections from clients on any network and have a default outbound access rule which allows access to the internet.
The default outbound access rule is scheduled for retirement on September 30th, 2025: https://azure.microsoft.com/en-us/updates?id=default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 2.2.1.2 Ensure Network Access Rules are set to Deny-by-default.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_2_2_1_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_2_2_1_2 --share
Controls
- Cognitive Services accounts should restrict network access
- Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Container registries should not allow unrestricted network access
- Service bus namespace should not be configured with overly permissive network access
- Storage accounts should restrict network access