Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380

Deploying Redis Cache under a VNET provides enhanced security and isolation. Vnet also provides subnets, access control policies and additional networking and security capabilities. When using a VNET specific ingress and egress firewall rules are required. This feature is available to Premium tier Redis Cache only.

Risk Level: High
Cloud Entity: Azure Redis Cache
CloudGuard Rule ID: D9.AZU.NET.16
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RedisCache where sku.name='Premium' should have subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6379 and destinationPortTo>=6379 ] ] and subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6380 and destinationPortTo>=6380 ] ]

REMEDIATION

From Portal
Pre-Requisite : VNET needs to be set up upon Redis Cache Launch.

  1. Go to 'Network Security Groups' from Azure Management console.
  2. For each Network Security Group that is attached to the concern Redis.
  3. Select Outbound security rules.
  4. Add a rule with Destination Port 6379 & 6380.
  5. Select Add.

References

  1. https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet

Azure Redis Cache

Fully managed, open source���compatible in-memory data store to power fast, scalable application. Azure Redis Cache is based on the popular open-source Redis cache. It is typically used as a cache to improve the performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by temporarily copying frequently accessed data to fast storage located close to the application. With Redis cache, this fast storage is located in-memory with Redis Cache instead of being loaded from disk by a dat

Compliance Frameworks

  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard Network Security Alerts
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure HIPAA
  • Azure ISO 27001:2013
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset