Risk Level: Low

Cloud Entity: Azure Virtual Network Gateway

CloudGuard Rule ID: D9.AZU.IAM.32

Covered by Spectral: Yes

Category: Networking & Content Delivery

GSL LOGIC

VirtualNetworkGateway where vpnType!='ExpressRoute' should not have vpnClientConfiguration.vpnClientIpsecPolicies isEmpty()

REMEDIATION

From Portal

Sign in to the Azure portal at https://portal.azure.com/.
Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology.
Create a 'connection' and under 'configuration' apply IPsec/IKE policy. You can apply the policy when you create a Site-to-Site or VNet-to-VNet connection.
Under the 'connection' tab of 'Virtual network gateway' add the connection.
Click ok.

From Command Line
Run

az network vpn-connection ipsec-policy add --resource-group RESOURCEGROUP --connection-name MYCONNECTION --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA384 --ipsec-encryption DES3 --ipsec-integrity GCMAES256 --pfs-group PFS2048 --sa-lifetime 27000 --sa-max-size 102400000

References

Azure Virtual Network Gateway

A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. Virtual network gateway VMs contain routing tables and run specific gateway services. These VMs are created when you create the virtual network gateway. You can't directly configure the VMs that are part of the virtual network gateway.

Compliance Frameworks

Azure ITSG-33
CloudGuard Azure All Rules Ruleset