Network - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Network |
[Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |
AuditIfNotExists Disabled |
||||||||
| Network |
Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Deny or Audit service endpoints on subnets This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Deny vNet peering cross subscription. This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope. |
Deny Disabled Audit |
||||||||
| Network |
Deploy Activity Log Azure FireWall Delete Alert Policy to Deploy Activity Log Azure Firewall Delete Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy Activity Log NSG Delete Alert Policy to Deploy Activity Log NSG Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy Activity Log Route Table Update Alert Policy to Deploy Activity Log Route Table Update Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy Activity Log VPN Gateway Delete Alert Policy to Deploy Activity Log VPN Gateway Delete Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy AFW FirewallHealth Alert Policy to audit/deploy Azure Firewall FirewallHealth Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy AFW SNATPortUtilization Alert Policy to audit/deploy Azure Firewall SNATPortUtilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ERG ExpressRoute Bits In Alert Policy to audit/deploy ER Gateway Connection BitsInPerSecond Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy ERG ExpressRoute Bits Out Alert Policy to audit/deploy ER Gateway Connection BitsOutPerSecond Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy ERG ExpressRoute CPU Utilization Alert Policy to audit/deploy ER Gateway Express Route CPU Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits Arp Availability Alert Policy to audit/deploy ExpressRoute Circuits Arp Availability Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits Bgp Availability Alert Policy to audit/deploy ExpressRoute Circuits Bgp Availability Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Capacity Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Query Volume Alert Policy to audit/deploy Private DNS Zone Query Volume Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy PDNSZ Record Set Capacity Alert Policy to audit/deploy Private DNS Zone Record Set Capacity Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Registration Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Registration Capacity Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PIP Bytes in DDoS Attack Alert Policy to audit/deploy PIP Bytes in DDoS Attack Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
|||||||
| Network |
Deploy PIP DDoS Attack Alert Policy to audit/deploy PIP DDoS Attack Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy PIP Packets in DDoS Attack Alert Policy to audit/deploy PIP Packets in DDoS Attack Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
|||||||
| Network |
Deploy PIP VIP Availability Alert Policy to audit/deploy PIP VIP Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy VNet DDoS Attack Alert Policy to audit/deploy Virtual Network DDoS Attack Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy VNetG Egress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Egress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG ExpressRoute Bits Per Second Alert Policy to audit/deploy Virtual Network Gateway Express Route Bits Per Second Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG ExpressRoute CPU Utilization Alert Policy to audit/deploy Virtual Network Gateway Express Route CPU Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Tunnel Bandwidth Alert Policy to audit/deploy Virtual Network Gateway Tunnel Bandwidth Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Tunnel Egress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Egress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VNetG Tunnel Ingress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Ingress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG BGP Peer Status Alert Policy to audit/deploy VPN Gateway BGP Peer Status Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Bandwidth Utilization Alert Policy to audit/deploy VPN Gateway Bandwidth Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Egress Alert Policy to audit/deploy VPN Gateway Egress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG Egress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Egress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Ingress Alert Policy to audit/deploy VPN Gateway Ingress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). |
Disabled Modify |
Disabled Modify |
|||||||
| Network |
Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. |
Disabled Modify |
Disabled Modify |
|||||||
| Network |
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. |
deny | deny | |||||||
| Network |
Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. |
deny | deny | |||||||
| Network |
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. |
deny | deny | |||||||
| Network |
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. |
AuditIfNotExists Disabled |
||||||||
| Network |
Subnets should have a Network Security Group This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Subnets should have a User Defined Route This policy denies the creation of a subnet without a User Defined Route (UDR). |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. |
Modify Disabled Audit |
Modify Disabled Audit |
|||||||
| Network |
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |
Deny Disabled Audit |
Deny Disabled Audit |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Network |
Deploy Activity Log Azure FireWall Delete Alert Policy to Deploy Activity Log Azure Firewall Delete Alert |
ALZMonitorResourceGroupLocation = eastusactivityFWDeleteAlertState = trueALZMonitorResourceGroupName = rg-amba-monitoring-001ALZMonitorResourceGroupTags = {"Project":"amba-monitoring"}
|
||||||||
| Network |
Deploy Activity Log NSG Delete Alert Policy to Deploy Activity Log NSG Delete Alert |
activityNSGDeleteAlertState = true
|
activityNSGDeleteAlertState = true
|
|||||||
| Network |
Deploy Activity Log Route Table Update Alert Policy to Deploy Activity Log Route Table Update Alert |
activityUDRUpdateAlertState = true
|
activityUDRUpdateAlertState = true
|
|||||||
| Network |
Deploy Activity Log VPN Gateway Delete Alert Policy to Deploy Activity Log VPN Gateway Delete Alert |
activityVPNGWDeleteAlertState = true
|
||||||||
| Network |
Deploy AFW FirewallHealth Alert Policy to audit/deploy Azure Firewall FirewallHealth Alert |
FirewallHealthWindowSize = PT5MFirewallHealthThreshold = 90FirewallHealthAlertSeverity = 0FirewallHealthAlertState = trueFirewallHealthEvaluationFrequency = PT1M
|
||||||||
| Network |
Deploy AFW SNATPortUtilization Alert Policy to audit/deploy Azure Firewall SNATPortUtilization Alert |
AFWSNATPortUtilizationWindowSize = PT5MAFWSNATPortUtilizationFrequency = PT1MAFWSNATPortUtilizationAlertState = trueAFWSNATPortUtilizationThreshold = 80AFWSNATPortUtilizationAlertSeverity = 1
|
||||||||
| Network |
Deploy ERG ExpressRoute Bits In Alert Policy to audit/deploy ER Gateway Connection BitsInPerSecond Alert |
ERGwExpressRouteBitsInAlertState = trueERGwExpressRouteBitsInEvaluationFrequency = PT5MERGwExpressRouteBitsInThreshold = 1ERGwExpressRouteBitsInWindowSize = PT5MERGwExpressRouteBitsInAlertSeverity = 0
|
||||||||
| Network |
Deploy ERG ExpressRoute Bits Out Alert Policy to audit/deploy ER Gateway Connection BitsOutPerSecond Alert |
ERGwExpressRouteBitsOutThreshold = 1ERGwExpressRouteBitsOutAlertState = trueERGwExpressRouteBitsOutWindowSize = PT5MERGwExpressRouteBitsOutAlertSeverity = 0ERGwExpressRouteBitsOutEvaluationFrequency = PT5M
|
||||||||
| Network |
Deploy ERG ExpressRoute CPU Utilization Alert Policy to audit/deploy ER Gateway Express Route CPU Utilization Alert |
ERGwExpressRouteCpuUtilWindowSize = PT5MERGwExpressRouteCpuUtilEvaluationFrequency = PT1MERGwExpressRouteCpuUtilAlertSeverity = 1ERGwExpressRouteCpuUtilThreshold = 80ERGwExpressRouteCpuUtilAlertState = true
|
||||||||
| Network |
Deploy ExpressRoute Circuits Arp Availability Alert Policy to audit/deploy ExpressRoute Circuits Arp Availability Alert |
ERCIRArpAvailabilityWindowSize = PT5MERCIRArpAvailabilityFrequency = PT1MERCIRArpAvailabilityAlertSeverity = 0ERCIRArpAvailabilityAlertState = trueERCIRArpAvailabilityThreshold = 90
|
||||||||
| Network |
Deploy ExpressRoute Circuits Bgp Availability Alert Policy to audit/deploy ExpressRoute Circuits Bgp Availability Alert |
ERCIRBgpAvailabilityEvaluationFrequency = PT1MERCIRBgpAvailabilityThreshold = 90ERCIRBgpAvailabilityWindowSize = PT5MERCIRBgpAvailabilityAlertSeverity = 0ERCIRBgpAvailabilityAlertState = true
|
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert |
ERCIRQoSDropBitsinPerSecFailingPeriods = 2ERCIRQoSDropBitsinPerSecEvaluationFrequ... = PT5MERCIRQoSDropBitsinPerSecWindowSize = PT5MALZMonitorDisableTagValues = ["true", "Test", "Dev", "Sandbox"]ERCIRQoSDropBitsinPerSecAlertState = trueERCIRQoSDropBitsinPerSecEvaluationPeriods = 2ERCIRQoSDropBitsinPerSecAlertSeverity = 2ALZMonitorDisableTagName = MonitorDisable
|
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert |
ERCIRQoSDropBitsoutPerSecEvaluationFreq... = PT5MERCIRQoSDropBitsoutPerSecFailingPeriods = 2ERCIRQoSDropBitsoutPerSecEvaluationPeriods = 2ERCIRQoSDropBitsoutPerSecAlertSeverity = 2ERCIRQoSDropBitsoutPerSecAlertState = trueERCIRQoSDropBitsoutPerSecWindowSize = PT5M
|
||||||||
| Network |
Deploy PDNSZ Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Capacity Utilization Alert |
PDNSZCapacityUtilAlertSeverity = 2PDNSZCapacityUtilAlertState = truePDNSZCapacityUtilThreshold = 80PDNSZCapacityUtilWindowSize = PT1HPDNSZCapacityUtilEvaluationFrequency = PT1H
|
||||||||
| Network |
Deploy PDNSZ Query Volume Alert Policy to audit/deploy Private DNS Zone Query Volume Alert |
PDNSZQueryVolumeAlertSeverity = 4PDNSZQueryVolumeThreshold = 500PDNSZQueryVolumeEvaluationFrequency = PT1HPDNSZQueryVolumeWindowSize = PT1HPDNSZQueryVolumeAlertState = true
|
||||||||
| Network |
Deploy PDNSZ Record Set Capacity Alert Policy to audit/deploy Private DNS Zone Record Set Capacity Alert |
PDNSZRecordSetCapacityAlertState = truePDNSZRecordSetCapacityEvaluationFrequency = PT1HPDNSZRecordSetCapacityWindowSize = PT1HPDNSZRecordSetCapacityAlertSeverity = 2PDNSZRecordSetCapacityThreshold = 80
|
||||||||
| Network |
Deploy PDNSZ Registration Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Registration Capacity Utilization Alert |
PDNSZRegistrationCapacityUtilEvaluation... = PT1HPDNSZRegistrationCapacityUtilAlertSeverity = 2PDNSZRegistrationCapacityUtilWindowSize = PT1HPDNSZRegistrationCapacityUtilThreshold = 80PDNSZRegistrationCapacityUtilAlertState = true
|
||||||||
| Network |
Deploy PIP Bytes in DDoS Attack Alert Policy to audit/deploy PIP Bytes in DDoS Attack Alert |
PIPBytesInDDoSThreshold = 8000000PIPBytesInDDoSAlertState = truePIPBytesInDDoSAlertSeverity = 4PIPBytesInDDoSWindowSize = PT5MPIPBytesInDDoSEvaluationFrequency = PT5M
|
PIPBytesInDDoSThreshold = 8000000PIPBytesInDDoSAlertState = truePIPBytesInDDoSAlertSeverity = 4PIPBytesInDDoSWindowSize = PT5MPIPBytesInDDoSEvaluationFrequency = PT5M
|
|||||||
| Network |
Deploy PIP DDoS Attack Alert Policy to audit/deploy PIP DDoS Attack Alert |
PIPDDoSAttackAlertState = truePIPDDoSAttackAlertSeverity = 1PIPDDoSAttackEvaluationFrequency = PT5MPIPDDoSAttackThreshold = 0PIPDDoSAttackWindowSize = PT5M
|
PIPDDoSAttackAlertState = truePIPDDoSAttackAlertSeverity = 1PIPDDoSAttackEvaluationFrequency = PT5MPIPDDoSAttackThreshold = 0PIPDDoSAttackWindowSize = PT5M
|
|||||||
| Network |
Deploy PIP Packets in DDoS Attack Alert Policy to audit/deploy PIP Packets in DDoS Attack Alert |
PIPPacketsInDDoSAlertSeverity = 4PIPPacketsInDDoSThreshold = 40000PIPPacketsInDDoSWindowSize = PT5MPIPPacketsInDDoSEvaluationFrequency = PT5MPIPPacketsInDDoSAlertState = true
|
PIPPacketsInDDoSAlertSeverity = 4PIPPacketsInDDoSThreshold = 40000PIPPacketsInDDoSWindowSize = PT5MPIPPacketsInDDoSEvaluationFrequency = PT5MPIPPacketsInDDoSAlertState = true
|
|||||||
| Network |
Deploy PIP VIP Availability Alert Policy to audit/deploy PIP VIP Availability Alert |
PIPVIPAvailabilityWindowSize = PT5MPIPVIPAvailabilityAlertSeverity = 1PIPVIPAvailabilityEvaluationFrequency = PT1MPIPVIPAvailabilityAlertState = truePIPVIPAvailabilityThreshold = 1
|
PIPVIPAvailabilityWindowSize = PT5MPIPVIPAvailabilityAlertSeverity = 1PIPVIPAvailabilityEvaluationFrequency = PT1MPIPVIPAvailabilityAlertState = truePIPVIPAvailabilityThreshold = 1
|
|||||||
| Network |
Deploy VNet DDoS Attack Alert Policy to audit/deploy Virtual Network DDoS Attack Alert |
VNETDDOSAttackEvaluationFrequency = PT1MVNETDDOSAttackAlertSeverity = 1VNETDDOSAttackWindowSize = PT5MVNETDDOSAttackThreshold = 1VNETDDOSAttackAlertState = true
|
VNETDDOSAttackEvaluationFrequency = PT1MVNETDDOSAttackAlertSeverity = 1VNETDDOSAttackWindowSize = PT5MVNETDDOSAttackThreshold = 1VNETDDOSAttackAlertState = true
|
|||||||
| Network |
Deploy VNetG Egress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Count Alert |
VnetGwTunnelEgressPacketDropCountEvalua... = 4VnetGwTunnelEgressPacketDropCountAlertS... = 1VnetGwTunnelEgressPacketDropCountFailin... = 4VnetGwTunnelEgressPacketDropCountEvalua... = PT5MVnetGwTunnelEgressPacketDropCountWindow... = PT5MVnetGwTunnelEgressPacketDropCountAlertS... = true
|
||||||||
| Network |
Deploy VNetG Egress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Mismatch Alert |
VnetGwTunnelEgressPacketDropMismatchEva... = PT5MVnetGwTunnelEgressPacketDropMismatchEva... = 4VnetGwTunnelEgressPacketDropMismatchAle... = trueVnetGwTunnelEgressPacketDropMismatchWin... = PT5MVnetGwTunnelEgressPacketDropMismatchFai... = 4VnetGwTunnelEgressPacketDropMismatchAle... = 3
|
||||||||
| Network |
Deploy VNetG ExpressRoute Bits Per Second Alert Policy to audit/deploy Virtual Network Gateway Express Route Bits Per Second Alert |
VnetGwExpressRouteBitsPerSecondAlertState = trueVnetGwExpressRouteBitsPerSecondEvaluati... = PT1MVnetGwExpressRouteBitsPerSecondAlertSev... = 0VnetGwExpressRouteBitsPerSecondThreshold = 1VnetGwExpressRouteBitsPerSecondWindowSize = PT5M
|
||||||||
| Network |
Deploy VNetG ExpressRoute CPU Utilization Alert Policy to audit/deploy Virtual Network Gateway Express Route CPU Utilization Alert |
VnetGwERCpuUtilAlertState = trueVnetGwERCpuUtilEvaluationFrequency = PT1MVnetGwERCpuUtilWindowSize = PT5MVnetGwERCpuUtilThreshold = 80VnetGwERCpuUtilAlertSeverity = 3
|
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Count Alert |
VnetGwTunnelIngressPacketDropCountFaili... = 4VnetGwTunnelIngressPacketDropCountAlert... = trueVnetGwTunnelIngressPacketDropCountAlert... = 3VnetGwTunnelIngressPacketDropCountEvalu... = PT5MVnetGwTunnelIngressPacketDropCountWindo... = PT5MVnetGwTunnelIngressPacketDropCountEvalu... = 4
|
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Mismatch Alert |
VnetGwTunnelIngressPacketDropMismatchWi... = PT5MVnetGwTunnelIngressPacketDropMismatchAl... = 3VnetGwTunnelIngressPacketDropMismatchAl... = trueVnetGwTunnelIngressPacketDropMismatchEv... = PT5MVnetGwTunnelIngressPacketDropMismatchEv... = 4VnetGwTunnelIngressPacketDropMismatchFa... = 4
|
||||||||
| Network |
Deploy VNetG Tunnel Bandwidth Alert Policy to audit/deploy Virtual Network Gateway Tunnel Bandwidth Alert |
VnetGwTunnelBWEvaluationFrequency = PT1MVnetGwTunnelBWAlertSeverity = 0VnetGwTunnelBWThreshold = 1VnetGwTunnelBWAlertState = trueVnetGwTunnelBWWindowSize = PT5M
|
||||||||
| Network |
Deploy VNetG Tunnel Egress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Egress Alert |
VnetGwTunnelEgressAlertSeverity = 0VnetGwTunnelEgressThreshold = 1VnetGwTunnelEgressWindowSize = PT5MVnetGwTunnelEgressEvaluationFrequency = PT5MVnetGwTunnelEgressAlertState = true
|
||||||||
| Network |
Deploy VNetG Tunnel Ingress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Ingress Alert |
VnetGwTunnelIngressAlertSeverity = 0VnetGwTunnelIngressEvaluationFrequency = PT5MVnetGwTunnelIngressAlertState = trueVnetGwTunnelIngressThreshold = 1VnetGwTunnelIngressWindowSize = PT5M
|
||||||||
| Network |
Deploy VPNG BGP Peer Status Alert Policy to audit/deploy VPN Gateway BGP Peer Status Alert |
VPNGwBGPPeerStatusThreshold = 1VPNGwBGPPeerStatusAlertState = trueVPNGwBGPPeerStatusEvaluationFrequency = PT5MVPNGwBGPPeerStatusWindowSize = PT5MVPNGwBGPPeerStatusAlertSeverity = 3
|
||||||||
| Network |
Deploy VPNG Bandwidth Utilization Alert Policy to audit/deploy VPN Gateway Bandwidth Utilization Alert |
VPNGWBandWidthUtilAlertState = trueVPNGWBandWidthUtilThreshold = 1VPNGWBandWidthUtilEvaluationFrequency = PT5MVPNGWBandWidthUtilWindowSize = PT5MVPNGWBandWidthUtilAlertSeverity = 0
|
||||||||
| Network |
Deploy VPNG Egress Alert Policy to audit/deploy VPN Gateway Egress Alert |
VPNGWEgressWindowSize = PT5MVPNGWEgressEvaluationFrequency = PT5MVPNGWEgressThreshold = 1VPNGWEgressAlertSeverity = 0VPNGWEgressAlertState = true
|
||||||||
| Network |
Deploy VPNG Egress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Count Alert |
VPNGWTunnelEgressPacketDropCountAlertSe... = 3VPNGWTunnelEgressPacketDropCountWindowSize = PT5MVPNGWTunnelEgressPacketDropCountAlertState = trueVPNGWTunnelEgressPacketDropCountEvaluat... = 2VPNGWTunnelEgressPacketDropCountFailing... = 2VPNGWTunnelEgressPacketDropCountFrequency = PT5M
|
||||||||
| Network |
Deploy VPNG Egress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Mismatch Alert |
VPNGWTunnelEgressPacketDropMismatchFail... = 2VPNGWTunnelEgressPacketDropMismatchAler... = trueVPNGWTunnelEgressPacketDropMismatchEval... = 2VPNGWTunnelEgressPacketDropMismatchWind... = PT5MVPNGWTunnelEgressPacketDropMismatchAler... = 3VPNGWTunnelEgressPacketDropMismatchFreq... = PT5M
|
||||||||
| Network |
Deploy VPNG Ingress Alert Policy to audit/deploy VPN Gateway Ingress Alert |
VPNGWIngressThreshold = 1VPNGWIngressEvaluationFrequency = PT5MVPNGWIngressWindowSize = PT5MVPNGWIngressAlertState = trueVPNGWIngressAlertSeverity = 0VPNGWIngressAutoMitigate = true
|
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Count Alert |
VPNGWTunnelIngressPacketDropCountFailin... = 4VPNGWTunnelIngressPacketDropCountEvalua... = 4VPNGWTunnelIngressPacketDropCountAlertS... = 3VPNGWTunnelIngressPacketDropCountAlertS... = trueVPNGWTunnelIngressPacketDropCountWindow... = PT5MVPNGWTunnelIngressPacketDropCountFrequency = PT5M
|
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Mismatch Alert |
VPNGWTunnelIngressPacketDropMismatchAle... = trueVPNGWTunnelIngressPacketDropMismatchWin... = PT5MVPNGWTunnelIngressPacketDropMismatchAle... = 3VPNGWTunnelIngressPacketDropMismatchEva... = 4VPNGWTunnelIngressPacketDropMismatchFai... = 4VPNGWTunnelIngressPacketDropMismatchFre... = PT5M
|
||||||||
| Network |
Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). |
modifyNsgRulePriority = 1000modifyNsgRuleName = DenyAnyInternetOutboundmodifyNsgRuleDirection = OutboundmodifyNsgRuleProtocol = *modifyNsgRuleDestinationPortRange = *modifyNsgRuleSourcePortRange = *modifyNsgRuleAccess = DenymodifyNsgRuleDescription = Deny any outbound traffic to the InternetmodifyNsgRuleSourceAddressPrefix = *modifyNsgRuleDestinationAddressPrefix = Internet
|
modifyNsgRulePriority = 1000modifyNsgRuleName = DenyAnyInternetOutboundmodifyNsgRuleDirection = OutboundmodifyNsgRuleProtocol = *modifyNsgRuleDestinationPortRange = *modifyNsgRuleSourcePortRange = *modifyNsgRuleAccess = DenymodifyNsgRuleDescription = Deny any outbound traffic to the InternetmodifyNsgRuleSourceAddressPrefix = *modifyNsgRuleDestinationAddressPrefix = Internet
|
|||||||
| Network |
Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. |
modifyUdrAddressPrefix = 0.0.0.0/0modifyUdrNextHopIpAddress = `` modifyUdrNextHopType = None
|
modifyUdrAddressPrefix = 0.0.0.0/0modifyUdrNextHopIpAddress = `` modifyUdrNextHopType = None
|
|||||||
| Network |
Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. |
denyMgmtFromInternetPorts = ["22", "3389"]
|
denyMgmtFromInternetPorts = ["22", "3389"]
|
|||||||
| Network |
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. |
networkWatcherShouldBeEnabledResourceGr... = NetworkWatcherRG
|
||||||||
| Network |
Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. |
ddosPlanResourceId = `` | ddosPlanResourceId = `` | |||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |
wafModeAppGwRequirement = Prevention
|
wafModeAppGwRequirement = Prevention
|
|||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |
wafModeRequirement = Prevention
|
wafModeRequirement = Prevention
|