Ensure that Virtual Networks Subnets have Security Groups

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Risk Level: High
Cloud Entity: Virtual Network
CloudGuard Rule ID: D9.AZU.NET.61
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

VNet should not have subnets contain [ securityGroup.id isEmpty() ]

REMEDIATION

Using Azure CLI:
Associate a network security group to a subnet:
az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --network-security-group MyNsg

From TF:

resource "azurerm_virtual_network" "example" {
	subnet {
		+ security_group = azurerm_network_security_group.example.id
	}
}

References: https://docs.microsoft.com/en-us/cli/azure/network/vnet/subnet?view=azure-cli-latest#az_network_vnet_subnet_update

Virtual Network

You can implement multiple virtual networks within each Azure subscription and Azure region. Each virtual network is isolated from other virtual networks. For each virtual network you can:
Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign.
Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0