azure_network_security_group Resource
Use the azure_network_security_group
InSpec audit resource to test the properties of an Azure Network Security group.
Azure REST API Version, Endpoint, and HTTP Client Parameters
This resource interacts with API versions supported by the resource provider.
The api_version
can be defined as a resource parameter.
If not provided, this resource uses the latest version.
For more information, refer to the azure_generic_resource document.
Unless defined, this resource uses the azure_cloud
global endpoint and default values for the HTTP client.
For more information, refer to the resource pack README.
Installation
This resource is available in the Chef InSpec Azure resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.
Syntax
An azure_network_security_group
resource block identifies a Network Security group by name
and resource_group
, or the resource_id
.
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should exist }
end
describe azure_network_security_group(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}') do
it { should exist }
end
Parameters
resource_group
- Azure resource group where the targeted resource resides.
name
- Name of the Azure resource to test.
resource_id
- The unique resource ID.
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}
. resource_data
- In-memory cached Azure Network Security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the
resource_data
parameter could be stale. It is the user’s responsibility to refresh the data.
Provide one of the following parameter sets for a valid query:
resource_id
resource_group
andname
resource_data
Properties
security_rules
- The set of security rules.
default_security_rules
- The set of default security rules.
allow_ssh_from_internet<superscript>*</superscript>
- A boolean value determined by analysing the security rules and default security rules for unrestricted SSH access.
it { should_not allow_ssh_from_internet }
. allow_rdp_from_internet<superscript>*</superscript>
- A boolean value determined by analysing the security rules and default security rules for unrestricted RDP access.
it { should_not allow_rdp_from_internet }
. allow_port_from_internet<superscript>*</superscript>
- A boolean value determined by analysing the security rules and default security rules for unrestricted access to a specified port.
it { should_not allow_port_from_internet('443') }
. allow?<superscript>**</superscript>
- Indicates if a provided criteria is complaint with the security rules including the default ones.
it { should allow(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }
. allowed?<superscript>**</superscript>
- Alias for
allow?
.it { should be_allowed(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }
. allow_in?<superscript>**</superscript>
- Indicates if a provided criteria is complaint with the inbound security rules including the default ones.
it { should_not allow_in(service_tag: 'Internet') }
. allowed_in?<superscript>**</superscript>
- Alias for
allow_in?
.it { should_not be_allowed_in(service_tag: 'Internet') }
. allow_out?<superscript>**</superscript>
- Indicates if a provided criteria is complaint with the outbound security rules including the default ones.
it { should_not allow_out(service_tag: 'Internet') }
. allowed_out?<superscript>**</superscript>
- Alias for
allow_out?
.it { should_not be_allowed_out(service_tag: 'Internet') }
.
allow_ssh_from_internet
will pass without comparing the priority of the conflicting security rules. Therefore, it is recommended to use allow
, allow_in
, or allow_out
properties with which the priorities are considered.
For example, providing that a network security group has a single security rule allowing all traffic from the internet by using Internet
service tag in the source will fail the allow_in(ip_range: '64.233.160.0')
test due to incompatible source definitions. This is because the InSpec Azure resource pack has no control over which IP ranges are defined in Azure service tags. Therefore, tests using these methods should be written explicitly for service tags and IP ranges. For more information about network security groups and security rules, refer to here.
*ip_range
used in these methods supports IPv4 and IPv6. The IP range criteria should be written in CIDR notation.
For properties applicable to all resources, such as type
, name
, id
, and properties
, refer to azure_generic_resource.
Also, refer to Azure documentation for other properties available. Any property in the response may be accessed with the key names separated by dots (.
).
Examples
Test that a resource group has the specified Network Security group
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should exist }
end
Test that a Network Security group allows SSH from the internet
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should allow_ssh_from_internet }
end
Test that a Network Security group allows inbound traffics from a certain IP range in any port and protocol
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should allow(source_ip_range: '10.0.0.0/24', direction: 'inbound') }
**same test with the specific inbound rule check.**
end
Test that a Network Security group allows inbound traffics from internet service tag in port 80
and TCP
protocol
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should allow(source_service_tag: 'Internet', destination_port: '22', protocol: 'TCP', direction: 'inbound') }
**same test with the specific inbound rule check.**
end
Test that a Network Security group allows inbound traffics from virtual network service tag in a port range and protocol
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should allow(source_service_tag: 'VirtualNetwork', destination_port: %w{22 8080 56-78}, direction: 'inbound') }
**same test with the specific inbound rule check.**
end
Test that a Network Security group allows outbound traffics to a certain IP range in any port and protocol
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should allow(destination_ip_range: '10.0.0.0/24', direction: 'outbound') }
**same test with the specific outbound rule check.**
end
Loop through multiple Network Security groups and verify that each group does not allow inbound traffic from already cached data
azure_network_security_groups.entries.each do |azure_network_security_group_data|
describe azure_network_security_group(resource_data: azure_network_security_group_data) do
it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') }
**same test with the specific outbound rule check.**
end
end
Note
allow
requires the direction
parameter to be set to inbound
or outbound
and you must prefix the ip_range
, service_tag
, and port
with source_
or destination_
identifiers.Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exists
The control passes if the resource returns a result. Use should_not
if you expect zero matches.
# If we expect 'GROUPNAME' to always exist.
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should exist }
end
not_exists
# If we expect 'EMPTYGROUPNAME' to never exist.
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should_not exist }
end
Azure Permissions
Your Service Principal must be set up with at least a reader
role on the subscription you wish to test.
Was this page helpful?