You dont have javascript enabled! Please enable it!

Audit all VMs that Don’t Have Network Security Group Associated

5 Min. Read

When a Network Security Group (NSG) is associated with a subnet, the Access Control List (ACL) rules apply to all the VM instances and integrated services in that subnet, but how do you audit if your VM has an NSG associated with their subnet and not on a network interface?

In this article, we will share with you how to audit all VMs that don’t have Network Security Group (NSG) associated with the subnet they’re in.

Introduction

Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.

If you’re using Microsoft Defender for Cloud (MDC), then we have already a built-in Azure Policy definition which is based on the default Azure Security Benchmark (V3) that requires having a network security group (NSG) associated with the subnet level, as well as at the network interface to pass the security recommendation as shown in the figure below.

Subnets should be associated with a network security group

Based on the Azure Security Benchmark (ASB) policy, when an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don’t apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, then you need to enable NSG directly on the resources as well.

Unless you have a specific reason to, Microsoft recommends that you associate a network security group to a subnet or a network interface, but not both. Since rules in a network security group associated with a subnet can conflict with rules in a network security group associated with a network interface, you can have unexpected communication problems that require troubleshooting.

Network security group attached to a subnet
Network security group attached to a subnet

As a side note, how traffic is evaluated when a network security group associated with a subnet or a network interface?

[IN] For inbound traffic: Azure processes the rules in a network security group associated with a subnet first, if there is one, and then the rules in a network security group associated with the network interface if there is one.

[OUT] For outbound traffic: Azure processes the rules in a network security group associated with a network interface first, if there is one, and then the rules in a network security group associated with the subnet if there is one.

A recent reader reached out and asked for a PowerShell script to audit all virtual machines that don’t have an NSG associated with their subnet.

Network security group attached to a network interface
Network security group attached to a network interface

After a quick look, I  have developed a handy tool that will automate the entire process for you.

In this article, we will share with you a PowerShell tool that will help you to get a list of all VMs in all Azure subscriptions that don’t have Network Security Group (NSG) associated with their subnet.

Prerequisites

To run this tool, you need to have the following:

1) An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.

2) One or more virtual machines are deployed in your subscription.

3) The Azure PowerShell (Az module) is installed locally on your machine. You can use the following PowerShell command to install and update the “Az module”.

# Make sure you have the latest version of PowerShellGet installed
Install-Module -Name PowerShellGet -Force

# Install and update to the latest Az PowerShell module
Install-Module -Name Az -AllowClobber -Force

Assuming you have all the prerequisites in place, run the following PowerShell tool.

Audit all VMs without NSG

Here is the PowerShell tool that will do the job for you:

<#
.Synopsis
A script used to get a list of all VMs that don't have NSG associated.

.DESCRIPTION
A script used to get a list of all VMs in all your Azure Subscriptions that don't have Network Security Group (NSG) associated with the subnet they're in.
Finally, it will export the report into a csv file locally in your machine.

.Notes
Created   : 01-April-2022
Updated   : 01-April-2022
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

#! Login with Connect-AzAccount if NOT using Cloud Shell
#! Check Azure Connection
Try {
    Write-Verbose "Connecting to Azure Cloud..."
    Connect-AzAccount -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null
}
Catch {
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!"
    Exit
}

$azSubs = Get-AzSubscription | Where-Object {$_.State -ne "Disabled"}

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null
    $azSubName = $azSub.Name

    $azVMs = Get-AzVM

    foreach ($azVM in $azVMs) {
        $nics = $azVM.NetworkProfile.NetworkInterfaces
        foreach ($nic in $nics) {
            $networkinterface = ($nic.Id -split '/')[-1]
            $nicdetails = Get-AzNetworkInterface -Name $networkinterface

            $vNETName = ($nicdetails.IpConfigurations.subnet.Id -split '/')[-3]
            $subnetName = ($nicdetails.IpConfigurations.subnet.Id -split '/')[-1]

            $virtualNetwork = Get-AzVirtualNetwork -Name $vNETName
            $subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $virtualNetwork

            if (!$subnet.NetworkSecurityGroup) {
                $vmNIC = [pscustomobject]@{
                    'Azure VMName'           = $azVM.Name
                    'Resource Group Name'    = $azVM.ResourceGroupName
                    'Location'               = $azVM.location
                    'Subscription'           = $azSubName
                    'Network Interface Name' = $networkinterface
                    'vNET Name'              = $vNETName
                    'Subnet Name'            = $subnetName
                    'Network Security Group' = "NSG is not associated with the Subnet: $subnetName"
                }

                $vmNIC | Export-Csv -Path ".\Azure-VM-Nsg.csv" -Append -NoTypeInformation -Force

            }

        }

    }

}

This tool will perform the following steps:

  • Connect to Azure if you are not using Cloud Shell.
  • Get the list of all Azure subscriptions.
  • Get the list of all Azure VMs in each subscription.
  • Get the list of all network interfaces that are attached to each VM.
  • Check if the network interface that is attached to the subnet has NSG associated at the subnet level or network interface.
  • If the NSG is associated with the network interface instead of a subnet, the tool will flag the VM as unhealthy and add it to the report.

Here is the final report in CSV format:

Audit all VMs that don't have Network Security Group associated
Audit all VMs that don’t have Network Security Group associated

There’s more…

For small to medium deployment, you could use the Azure PowerShell or CLI as described in this article. However, it is not a good idea to do it on a large scale.

Azure Resource Manager (ARM) will throttle requests at 12k/h. The Microsoft Network resource provider will throttle at 10k per 5min read. By iterating, you will be able to read only a small bunch of resources and it will take so long.

For large-scale deployment, it’s recommended to use the Azure Resource Graph (ARG) instead to audit all VMs that don’t have Network Security Group (NSG) associated with their subnet.

I will update this article as soon as I develop the resource graph query to audit large deployments.

Summary

In this article, we showed you how to get a list of all VMs in all Azure subscriptions that don’t have Network Security Group associated with the subnet they’re in using Azure PowerShell.

> Learn more, check how to harden Azure virtual machines?

> Learn more, check how to audit subnets that do not have Network Security Group associated with Azure Policy?

This is version 1.0 of this tool, do you want additional features? Please feel free to leave a comment below.

That’s it there you have it!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Accelerate Compliance with Microsoft Security

Cyber Threat Report 2022 Edition – Hornetsecurity

Next

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!