Control: Azure DDoS Protection Standard should be enabled
Description
DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_ddos_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_ddos_enabled --shareSQL
This control uses a named query:
with application_gateway_subnet as ( select distinct (split_part(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) as vn_name from azure_application_gateway as ag, jsonb_array_elements(gateway_ip_configurations) as c)select a.name as resource, case when b.vn_name is null then 'ok' when b.vn_name is not null and enable_ddos_protection::bool then 'ok' else 'alarm' end as status, case when b.vn_name is null then 'DDoS protection not required.' when b.vn_name is not null and enable_ddos_protection::bool then a.name || ' DDoS protection enabled.' else a.name || ' DDoS protection disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_virtual_network as a left join application_gateway_subnet as b on a.name = b.vn_name left join azure_subscription sub on sub.subscription_id = a.subscription_id;