Framework/Configurations/SVT/Services/ERvNet.json
|
{
"FeatureName": "ERvNet", "Reference": "aka.ms/azsdkosstcp/ervnet", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_PublicIPs", "Description": "There must not be any Public IPs (i.e., NICs with PublicIP) on ER-vNet VMs", "Id": "ERvNet110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Recommendation": "All Public IP addresses must be removed from Virtual Network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_Multi_NIC_VMs", "Description": "There must not be multiple NICs on ER-vNet VMs", "Id": "ERvNet120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMultiNICVMUsed", "Recommendation": "Only one NIC must be configured. Except one all other NIC must be removed. For steps visit: http://stackoverflow.com/questions/34526032/how-can-i-programmatically-detach-a-nic-from-its-vm-in-azure-arm", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs", "Description": "'EnableIPForwarding' flag must not be set to true for NICs in the ER-vNet", "Id": "ERvNet130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "Recommendation": "IP Forwarding must be disabled. For more information visit: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of the ER-vNet", "Id": "ERvNet140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Recommendation": "NSG must not be configured with any security rules. To remove existing rules from NSG a) Azure Portal -> Network security groups. -> <Your NSG> -> Inbound security rules -> Remove all Allow action rules. b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Remove all Allow action rules.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets", "Description": "There must not be a UDR on *any* subnet in an ER-vNet", "Id": "ERvNet150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckUDRAddedOnSubnet", "Recommendation": "Remove subnet route using Remove-AzureSubnetRouteTable command. Run 'Get-Help Remove-AzureSubnetRouteTable -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways", "Description": "There must not be another virtual network gateway (GatewayType = Vpn) in an ER-vNet", "Id": "ERvNet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Recommendation": "Its default behavior, No action required.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings", "Description": "There must not be any virtual network peerings on an ER-vNet", "Id": "ERvNet170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Recommendation": "Remove VNet peering using Remove-AzureRmVirtualNetworkPeering command. Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers", "Description": "Only internal load balancers (ILBs) may be used inside an ER-vNet", "Id": "ERvNet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInternalLoadBalancers", "Recommendation": "Remove external load balancers using Remove-AzureRmLoadBalancer command. Run 'Get-Help Remove-AzureRmLoadBalancer -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_ERvNet_SI_Add_Only_Network_Resources", "Description": "Only resources of type Microsoft.Network/* must be added in the ERNetwork resource group", "Id": "ERvNet190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOnlyNetworkResourceExist", "Recommendation": "Move all other resources except Microsoft.Network/* to another resource group. To move resource to another resource group select resource from the portal then select Move option from Overview tab.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": false }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_Resource_Lock", "Description": "The resource lock configured on the ERNetwork resource group must not be removed", "Id": "ERvNet200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckResourceLockConfigured", "Recommendation": "Run command 'New-AzureRmResourceLock'. Run 'Get-Help New-AzureRmResourceLock -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": false }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_ARM_Policy", "Description": "The ARM policies configured to protect ERNetwork setup must not be removed", "Id": "ERvNet210", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckARMPolicyConfigured", "Recommendation": "Run command 'Set-AzSDKARMPolicies'. Run 'Get-Help Set-AzSDKARMPolicies -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Manual", "SI" ], "Enabled": false } ] } |