Ensure Virtual Network Gateway is configured with Cryptographic Algorithm

For communications that require specific cryptographic algorithms or parameters, typically due to compliance or security requirements, you can now configure their Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

Risk Level: Low
Cloud Entity: Azure Virtual Network Gateway
CloudGuard Rule ID: D9.AZU.IAM.32
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

VirtualNetworkGateway where vpnType!='ExpressRoute' should not have vpnClientConfiguration.vpnClientIpsecPolicies isEmpty()

REMEDIATION

From Portal

  1. Sign in to the Azure portal at https://portal.azure.com/.
  2. Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology.
  3. Create a 'connection' and under 'configuration' apply IPsec/IKE policy. You can apply the policy when you create a Site-to-Site or VNet-to-VNet connection.
  4. Under the 'connection' tab of 'Virtual network gateway' add the connection.
  5. Click ok.

From Command Line
Run

az network vpn-connection ipsec-policy add --resource-group RESOURCEGROUP --connection-name MYCONNECTION --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA384 --ipsec-encryption DES3 --ipsec-integrity GCMAES256 --pfs-group PFS2048 --sa-lifetime 27000 --sa-max-size 102400000

References

  1. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto
  2. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
  3. https://docs.microsoft.com/en-us/cli/azure/network/vpn-connection/ipsec-policy?view=azure-cli-latest#az_network_vpn_connection_ipsec_policy_add
  4. https://learn.microsoft.com/en-us/azure-stack/user/azure-stack-vpn-s2s?view=azs-2206&tabs=az1%2Caz2%2Caz3%2Caz4%2Caz5%2Caz8%2Caz6%2Caz7

Azure Virtual Network Gateway

A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. Virtual network gateway VMs contain routing tables and run specific gateway services. These VMs are created when you create the virtual network gateway. You can't directly configure the VMs that are part of the virtual network gateway.

Compliance Frameworks

  • Azure ITSG-33
  • CloudGuard Azure All Rules Ruleset