Governance Anti Patterns Networking - Azure/az-prototype GitHub Wiki

Networking

Network isolation, firewall rules, and public exposure detection

Domain: networking

Checks (10)

Check Description
ANTI-NET-001 Public network access is enabled — disable public access and use private endpoints. This applies to ALL environments including POC.
ANTI-NET-002 Overly permissive network rule detected (0.0.0.0/0) — use specific IP ranges or service tags instead.
ANTI-NET-003 Direct external ingress detected — consider using API Management or Front Door as a gateway for production.
ANTI-NET-004 VNet integration disabled or missing — enable VNet integration for backend connectivity to private resources.
ANTI-NET-005 Empty IP restrictions — configure IP restrictions or use VNet integration to limit access.
ANTI-NET-006 Private endpoint references a VNet as its privateLinkServiceId — VNets are not valid Private Link targets. ARM will reject this with HTTP 400.
ANTI-NET-007 VNet/NSG diagnostic settings must use category = "AllMetrics" only — log categories are not supported and cause ARM errors.
ANTI-NET-008 NSGs do NOT support diagnostic settings — remove the diagnostic settings resource entirely.
ANTI-NET-009 Oversized address space detected — use /22 to /24 for POC subnets, /20 to /22 for VNets.
ANTI-NET-010 NSG rule uses wildcard (*) for source or destination — use specific IP ranges, CIDR blocks, or service tags.

ANTI-NET-001

Public network access is enabled — disable public access and use private endpoints. This applies to ALL environments including POC.

Rationale: Public network access exposes service data planes to internet-based attacks; all PaaS services should disable public access and use private endpoints.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Storage/storageAccounts
  • Microsoft.Sql/servers
  • Microsoft.DocumentDB/databaseAccounts
  • Microsoft.KeyVault/vaults
  • Microsoft.Cache/redis
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • Microsoft.Search/searchServices
  • Microsoft.CognitiveServices/accounts
  • Microsoft.ContainerRegistry/registries
  • Microsoft.OperationalInsights/workspaces
  • Microsoft.Insights/components
  • 'public_network_access_enabled = true'
  • 'public_network_access = "enabled"'
  • 'publicnetworkaccess = "enabled"'
  • 'publicnetworkaccessforingestion = "enabled"'
  • 'publicnetworkaccessforquery = "enabled"'
  • 'publicNetworkAccess = "Disabled"'
  • 'public_network_access_enabled = false'
  • 'publicNetworkAccessForIngestion = "Disabled"'
  • 'publicNetworkAccessForQuery = "Disabled"'

ANTI-NET-002

Overly permissive network rule detected (0.0.0.0/0) — use specific IP ranges or service tags instead.

Rationale: Allowing all internet traffic (0.0.0.0/0) in NSG or firewall rules defeats network segmentation and exposes resources to attack.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/networkSecurityGroups
  • Microsoft.Network/azureFirewalls
  • '0.0.0.0/0'
  • '0.0.0.0-255.255.255.255'

ANTI-NET-003

Direct external ingress detected — consider using API Management or Front Door as a gateway for production.

Rationale: Direct external ingress bypasses WAF, rate limiting, and centralized authentication that API Management or Front Door provides.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • 'ingress_type = "external"'
  • 'external_enabled = true'
  • 'external = true'

ANTI-NET-004

VNet integration disabled or missing — enable VNet integration for backend connectivity to private resources.

Rationale: Without VNet integration, compute resources cannot access private endpoints or backend services on private networks.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Web/sites
  • Microsoft.App/managedEnvironments
  • 'vnet_route_all_enabled = false'
  • 'virtual_network_subnet_id = null'

ANTI-NET-005

Empty IP restrictions — configure IP restrictions or use VNet integration to limit access.

Rationale: Empty IP restrictions allow all internet traffic to reach the app directly, bypassing network controls.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Web/sites
  • 'ip_restriction = []'
  • 'scm_ip_restriction = []'

ANTI-NET-006

Private endpoint references a VNet as its privateLinkServiceId — VNets are not valid Private Link targets. ARM will reject this with HTTP 400.

Rationale: Private endpoints connect to specific Azure PaaS services, not VNets. ARM will reject this with HTTP 400.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/privateEndpoints
  • 'privateLinkServiceId = azapi_resource.vnet'
  • 'privateLinkServiceId = azapi_resource.virtual_network'
  • 'private_link_service_id = azurerm_virtual_network'
  • '# Private endpoints target specific PaaS services (e.g., Microsoft.Sql/servers), not VNets'

ANTI-NET-007

VNet/NSG diagnostic settings must use category = "AllMetrics" only — log categories are not supported and cause ARM errors.

Rationale: VNets and NSGs do not support log category groups. Using categoryGroup = "allLogs" causes ARM HTTP 400 validation errors.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/virtualNetworks
  • Microsoft.Network/networkSecurityGroups
  • 'diag_vnet'
  • 'diag_nsg'
  • 'diagnostics_vnet'
  • 'diagnostics_nsg'
  • 'category = "AllMetrics"'
  • '# VNets and NSGs only support AllMetrics, not log categories'

ANTI-NET-008

NSGs do NOT support diagnostic settings — remove the diagnostic settings resource entirely.

Rationale: NSGs do not support diagnostic settings at all (no logs, no metrics). The ARM API will reject with HTTP 400.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/networkSecurityGroups
  • 'nsg_pe_diag'
  • 'nsg_aca_diag'
  • 'nsg_diag'
  • '# NSGs do NOT support diagnostic settings — no log or metric categories'

ANTI-NET-009

Oversized address space detected — use /22 to /24 for POC subnets, /20 to /22 for VNets.

Rationale: A /16 allocates 65,536 IPs and a /8 allocates 16 million — wildly excessive for POC workloads that typically need fewer than 1,000 addresses.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/virtualNetworks
  • '/8"'
  • '/16"'
  • '10.0.0.0/8'
  • '10.0.0.0/16'
  • '172.16.0.0/12'
  • 'addressPrefix = "10.0.0.0/22"'
  • '# Use /22-/24 for subnets, /20-/22 for VNets in POC'

ANTI-NET-010

NSG rule uses wildcard (*) for source or destination — use specific IP ranges, CIDR blocks, or service tags.

Rationale: Wildcard rules negate the purpose of NSGs and allow any traffic through, creating an open network.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Network/networkSecurityGroups
  • 'sourceAddressPrefix = "*"'
  • 'destinationAddressPrefix = "*"'
  • 'source_address_prefix = "*"'
  • 'destination_address_prefix = "*"'
  • 'sourceAddressPrefix = "10.0.0.0/22"'
  • 'sourceAddressPrefix = "VirtualNetwork"'
  • '# Use CIDR blocks or service tags instead of wildcards'
⚠️ **GitHub.com Fallback** ⚠️