Product logo
DocsBlogPricing

@turbot/azure-network

The azure-network mod contains resource, control and policy definitions for Azure Network service. This mod requires the Network Service Provider to be enabled for proper operation. If Guardrails has sufficient permissions, this can be done automatically. Azure CLI

az provider register --namespace "Microsoft.Network"
Version
5.16.0
Released On
Apr 11, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.16.0 (2024-04-11)

What's new?

  • You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.

5.15.0 (2023-09-14)

Resource Types

  • Azure > Network > Express Route Circuits

Control Types

  • Azure > Network > Express Route Circuits > Active
  • Azure > Network > Express Route Circuits > Approved
  • Azure > Network > Express Route Circuits > CMDB
  • Azure > Network > Express Route Circuits > Discovery
  • Azure > Network > Express Route Circuits > Tags

Policy Types

  • Azure > Network > Express Route Circuits > Active
  • Azure > Network > Express Route Circuits > Active > Age
  • Azure > Network > Express Route Circuits > Active > Last Modified
  • Azure > Network > Express Route Circuits > Approved
  • Azure > Network > Express Route Circuits > Approved > Custom
  • Azure > Network > Express Route Circuits > Approved > Regions
  • Azure > Network > Express Route Circuits > Approved > Usage
  • Azure > Network > Express Route Circuits > CMDB
  • Azure > Network > Express Route Circuits > Regions
  • Azure > Network > Express Route Circuits > Tags
  • Azure > Network > Express Route Circuits > Tags > Template

Action Types

  • Azure > Network > Express Route Circuits > Delete
  • Azure > Network > Express Route Circuits > Router
  • Azure > Network > Express Route Circuits > Set Tags

5.14.0 (2023-09-06)

Resource Types

  • Azure > Network > Private DNS Zones
  • Azure > Network > Private Endpoints

Control Types

  • Azure > Network > Private DNS Zones > Active
  • Azure > Network > Private DNS Zones > Approved
  • Azure > Network > Private DNS Zones > CMDB
  • Azure > Network > Private DNS Zones > Discovery
  • Azure > Network > Private DNS Zones > Tags
  • Azure > Network > Private Endpoints > Active
  • Azure > Network > Private Endpoints > Approved
  • Azure > Network > Private Endpoints > CMDB
  • Azure > Network > Private Endpoints > Discovery
  • Azure > Network > Private Endpoints > Tags

Policy Types

  • Azure > Network > Private DNS Zones > Active
  • Azure > Network > Private DNS Zones > Active > Age
  • Azure > Network > Private DNS Zones > Active > Last Modified
  • Azure > Network > Private DNS Zones > Approved
  • Azure > Network > Private DNS Zones > Approved > Custom
  • Azure > Network > Private DNS Zones > Approved > Usage
  • Azure > Network > Private DNS Zones > CMDB
  • Azure > Network > Private DNS Zones > Tags
  • Azure > Network > Private DNS Zones > Tags > Template
  • Azure > Network > Private Endpoints > Active
  • Azure > Network > Private Endpoints > Active > Age
  • Azure > Network > Private Endpoints > Active > Last Modified
  • Azure > Network > Private Endpoints > Approved
  • Azure > Network > Private Endpoints > Approved > Custom
  • Azure > Network > Private Endpoints > Approved > Regions
  • Azure > Network > Private Endpoints > Approved > Usage
  • Azure > Network > Private Endpoints > CMDB
  • Azure > Network > Private Endpoints > Regions
  • Azure > Network > Private Endpoints > Tags
  • Azure > Network > Private Endpoints > Tags > Template

Action Types

  • Azure > Network > Private DNS Zones > Delete
  • Azure > Network > Private DNS Zones > Router
  • Azure > Network > Private DNS Zones > Set Tags
  • Azure > Network > Private Endpoints > Delete
  • Azure > Network > Private Endpoints > Router
  • Azure > Network > Private Endpoints > Set Tags

5.13.0 (2023-07-13)

Resource Types

  • Azure > Network > Virtual Network Gateway

Control Types

  • Azure > Network > Virtual Network Gateway > Active
  • Azure > Network > Virtual Network Gateway > Approved
  • Azure > Network > Virtual Network Gateway > CMDB
  • Azure > Network > Virtual Network Gateway > Configured
  • Azure > Network > Virtual Network Gateway > Discovery
  • Azure > Network > Virtual Network Gateway > Tags

Policy Types

  • Azure > Network > Virtual Network Gateway > Active
  • Azure > Network > Virtual Network Gateway > Active > Age
  • Azure > Network > Virtual Network Gateway > Active > Last Modified
  • Azure > Network > Virtual Network Gateway > Approved
  • Azure > Network > Virtual Network Gateway > Approved > Custom
  • Azure > Network > Virtual Network Gateway > Approved > Regions
  • Azure > Network > Virtual Network Gateway > Approved > Usage
  • Azure > Network > Virtual Network Gateway > CMDB
  • Azure > Network > Virtual Network Gateway > Configured
  • Azure > Network > Virtual Network Gateway > Configured > Claim Precedence
  • Azure > Network > Virtual Network Gateway > Configured > Source
  • Azure > Network > Virtual Network Gateway > Regions
  • Azure > Network > Virtual Network Gateway > Tags
  • Azure > Network > Virtual Network Gateway > Tags > Template

Action Types

  • Azure > Network > Virtual Network Gateway > Delete
  • Azure > Network > Virtual Network Gateway > Router
  • Azure > Network > Virtual Network Gateway > Set Tags

5.12.0 (2023-06-19)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

5.11.0 (2022-12-23)

What's new?

  • All Azure > Network resource types now support China Cloud regions.

5.10.1 (2022-10-21)

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.10.0 (2022-08-16)

Action Types

  • Azure > Network > Application Security Group > Delete from Azure
  • Azure > Network > Application Security Group > Set Tags
  • Azure > Network > Application Security Group > Skip alarm for Active control
  • Azure > Network > Application Security Group > Skip alarm for Active control [90 days]
  • Azure > Network > Application Security Group > Skip alarm for Approved control
  • Azure > Network > Application Security Group > Skip alarm for Approved control [90 days]
  • Azure > Network > Application Security Group > Skip alarm for Tags control
  • Azure > Network > Application Security Group > Skip alarm for Tags control [90 days]
  • Azure > Network > Network Interface > Delete from Azure
  • Azure > Network > Network Interface > Set Tags
  • Azure > Network > Network Interface > Skip alarm for Active control
  • Azure > Network > Network Interface > Skip alarm for Active control [90 days]
  • Azure > Network > Network Interface > Skip alarm for Approved control
  • Azure > Network > Network Interface > Skip alarm for Approved control [90 days]
  • Azure > Network > Network Interface > Skip alarm for Tags control
  • Azure > Network > Network Interface > Skip alarm for Tags control [90 days]
  • Azure > Network > Network Security Group > Delete from Azure
  • Azure > Network > Network Security Group > Set Tags
  • Azure > Network > Network Security Group > Skip alarm for Active control
  • Azure > Network > Network Security Group > Skip alarm for Active control [90 days]
  • Azure > Network > Network Security Group > Skip alarm for Approved control
  • Azure > Network > Network Security Group > Skip alarm for Approved control [90 days]
  • Azure > Network > Network Security Group > Skip alarm for Tags control
  • Azure > Network > Network Security Group > Skip alarm for Tags control [90 days]
  • Azure > Network > Public IP Address > Delete from Azure
  • Azure > Network > Public IP Address > Set Tags
  • Azure > Network > Public IP Address > Skip alarm for Active control
  • Azure > Network > Public IP Address > Skip alarm for Active control [90 days]
  • Azure > Network > Public IP Address > Skip alarm for Approved control
  • Azure > Network > Public IP Address > Skip alarm for Approved control [90 days]
  • Azure > Network > Public IP Address > Skip alarm for Tags control
  • Azure > Network > Public IP Address > Skip alarm for Tags control [90 days]
  • Azure > Network > Route Table > Delete from Azure
  • Azure > Network > Route Table > Set Tags
  • Azure > Network > Route Table > Skip alarm for Active control
  • Azure > Network > Route Table > Skip alarm for Active control [90 days]
  • Azure > Network > Route Table > Skip alarm for Approved control
  • Azure > Network > Route Table > Skip alarm for Approved control [90 days]
  • Azure > Network > Route Table > Skip alarm for Tags control
  • Azure > Network > Route Table > Skip alarm for Tags control [90 days]
  • Azure > Network > Subnet > Delete from Azure
  • Azure > Network > Subnet > Skip alarm for Active control
  • Azure > Network > Subnet > Skip alarm for Active control [90 days]
  • Azure > Network > Subnet > Skip alarm for Approved control
  • Azure > Network > Subnet > Skip alarm for Approved control [90 days]
  • Azure > Network > Virtual Network > Delete from Azure
  • Azure > Network > Virtual Network > Set Tags
  • Azure > Network > Virtual Network > Skip alarm for Active control
  • Azure > Network > Virtual Network > Skip alarm for Active control [90 days]
  • Azure > Network > Virtual Network > Skip alarm for Approved control
  • Azure > Network > Virtual Network > Skip alarm for Approved control [90 days]
  • Azure > Network > Virtual Network > Skip alarm for Tags control
  • Azure > Network > Virtual Network > Skip alarm for Tags control [90 days]

5.9.0 (2022-08-10)

Policy Types

  • Azure > Network > Network Interface > Active > Attached
  • Azure > Network > Public IP Address > Active > Attached

5.8.2 (2022-07-28)

Bug fixes

  • The Azure > Network > Public IP Address CMDB control would fail to update the IP configuration details of an IP address correctly when it was disassociated from a VM. This is now fixed.

5.8.1 (2022-03-16)

Bug fixes

  • We've improved the log messages for Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls to be more precise and helpful for all the statements that get evaluated by the control.

5.8.0 (2022-02-17)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • Azure > Network > Application Security Group > Approved > Custom
  • Azure > Network > Network Interface > Approved > Custom
  • Azure > Network > Network Security Group > Approved > Custom
  • Azure > Network > Public IP Address > Approved > Custom
  • Azure > Network > Route Table > Approved > Custom
  • Azure > Network > Subnet > Approved > Custom
  • Azure > Network > Virtual Network > Approved > Custom

5.7.0 (2021-07-20)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.6.0 (2021-04-16)

What's new?

  • Users can now manage which service tags are approved for use as network security group rule sources and destinations. A service tag represents a group of IP address prefixes from a given Azure service, simplifying access control from and to Azure services.

    To get started with these new features, you can add the list of approved service tags to the Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags and Azure > Network > Network Security Group > Egress Rules > Approved > Service Tags policies.

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Policy Types

  • Azure > Network > Network Security Group > Egress Rules > Approved > Service Tags
  • Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

5.5.3 (2021-01-27)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
  • We've updated the examples for the Azure > Network > Network Security Group > Ingress Rules > Approved > Rules and Azure > Network > Network Security Group > Ingress Rules > Approved > Rules policies to contain more clear rules for checking ports.

5.5.2 (2021-01-08)

Security

  • Since v5.0.0, the Azure > Network > Network Security Group > Egress Rules > Approved and Azure > Network > Network Security Group > Ingress Rules > Approved controls would sometimes not mark security group rules with a port range containing prohibited ports as unapproved. This scenario would specifically occur when a security group rule's port range contained prohibited and allowed ports, resulting in the control incorrectly passing the security group rule as approved. Please note that if a security group rule's port range was limited to a single port, and that port was prohibited, the security group rule would correctly be marked unapproved.

    We have fixed how the controls evaluate security group rules and now any security group rules containing any prohibited ports will be marked unapproved correctly.

    We recommend updating this mod to the latest version to ensure these fixes are installed.

5.5.1 (2020-11-03)

Bug fixes

  • We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the Azure > Provider > {service} > Registered policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.

5.5.0 (2020-10-22)

What's new?

  • We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to Skip, its Approved control will move to invalid to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.4.0 (2020-09-28)

Warning

  • The Azure > Network > Network Interface > Configured and Azure > Network > Subnet > Configured policies now include the following new policy values:
     - Skip (unless claimed by a stack)
     - Check: Per Configured > Source (unless claimed by a stack)
     - Enforce: Per Configured > Source (unless claimed by a stack)
    These new values will replace the following current values, which have been deprecated and will be removed in the next major version:
     - Skip if using Configured > Source
     - Check: Configured if using Configured > Source
     - Enforce: Configured if using Configured > Source
    We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backward compatible.

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

Policy Types

Renamed

  • Azure > Network > Network Interface > Configured > Precedence to Azure > Network > Network Interface > Configured > Claim Precedence
  • Azure > Network > Subnet > Configured > Precedence to Azure > Network > Subnet > Configured > Claim Precedence

5.3.0 (2020-09-21)

Warning

  • The Azure > Network > Application Security Group > Configured, Azure > Network > Network Security Group > Configured, Azure > Network > Public IP Address > Configured, Azure > Network > Route Table > Configured and Azure > Network > Virtual Network > Configured policies now includes the following new policy values:
     - Skip (unless claimed by a stack)
     - Check: Per Configured > Source (unless claimed by a stack)
     - Enforce: Per Configured > Source (unless claimed by a stack)
    These new values will replace the following current values, which have been deprecated and will be removed in the next major version:
     - Skip if using Configured > Source
     - Check: Configured if using Configured > Source
     - Enforce: Configured if using Configured > Source
    We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backwards compatible.

Policy Types

Renamed

  • Azure > Network > Application Security Group > Configured > Precedence to Azure > Network > Application Security Group > Configured > Claim Precedence
  • Azure > Network > Network Security Group > Configured > Precedence to Azure > Network > Network Security Group > Configured > Claim Precedence
  • Azure > Network > Public IP Address > Configured > Precedence to Azure > Network > Public IP Address > Configured > Claim Precedence
  • Azure > Network > Route Table > Configured > Precedence to Azure > Network > Route Table > Configured > Claim Precedence
  • Azure > Network > Virtual Network > Configured > Precedence to Azure > Network > Virtual Network > Configured > Claim Precedence

5.2.1 (2020-09-04)

Bug fixes

  • The Azure > Network > Public IP Address > Tags control would sometimes go into an error state due to an invalid reference to GraphQL queries. This issue has been fixed and now the control runs smoothly.

5.2.0 (2020-08-27)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.

5.1.4 (2020-07-24)

Bug fixes

  • When deleting inactive resources through an Active control, different warning periods in days can be set to delay deletion. We recently identified a bug that would cause these warning periods to be ignored, and any inactive resources would be deleted immediately. This bug has been fixed and now all Active controls will abide by the warning period set in the policy value.

5.1.3 (2020-07-23)

Bug fixes

  • We've removed some microsoft.network permissions that Azure no longer supports, as they were causing an error in the Azure > Turbot > IAM stack control.

5.1.2 (2020-06-10)

What's new?

  • All resource Router actions now run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails' ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

Bug fixes

  • Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

5.1.1 (2020-05-19)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.1.0 (2020-05-06)

Bug fixes

  • When an inbound rule was added to a Network Security Group that had an Application Security Group as the source, the Azure > Network > Network Security Group > Ingress Rules > Approved control remained in Error state since it was checking for a nonexistent source address prefix. This has now been fixed and all inbound rule sources are handled properly.

Policy Types

Removed

  • Azure > Network > Subnet > Regions