Profile Applicability:
 Level 1

Description:
 Network Access Rules govern which IP addresses or networks can connect to Azure resources such as Storage Accounts, SQL servers, and other services. Setting these rules to deny-by-default means that all network traffic is blocked unless explicitly allowed by a specific rule. This approach enforces a secure posture by minimizing unintended exposure and preventing unauthorized access.

Rationale:
 A deny-by-default stance follows the principle of least privilege for network access. Without explicit allow rules, potential attack vectors are significantly reduced, enhancing security and compliance. It ensures that only trusted IPs or virtual networks can access sensitive resources, reducing the risk of data breaches or compromise.

Impact:

  • Pros:

    • Strengthens security by blocking all traffic except explicitly allowed sources.

    • Reduces accidental exposure of resources to the internet or untrusted networks.

    • Supports regulatory and compliance requirements for strict network access control.

  • Cons:

    • Requires careful planning and management of allow rules to avoid disrupting legitimate access.

    • May cause connectivity issues if critical IPs or networks are not whitelisted properly.

Default Value:
 Many Azure services default to allow-all or permit public network access unless configured otherwise.

Pre-requisites:

  • Proper Azure RBAC permissions to modify network rules.

  • Inventory of trusted IP ranges and virtual networks that require access.

Remediation

Test Plan:

Using Azure Portal:

  1. Sign in to https://portal.azure.com.

  2. Navigate to the Azure resource (e.g., Storage Account, SQL Server).

  3. Under Networking or Firewalls and virtual networks, review the configured network access rules.

  4. Confirm that the default action for unspecified IP addresses or networks is set to Deny.

Using Azure CLI:

1. For a Storage Account, check the default network rule action:

az storage account show --name <storage-account-name> --resource-group <resource-group> --query networkRuleSet.defaultAction

Expected output: Deny

2. For Azure SQL Server, confirm the firewall rules and default behavior:

az sql server firewall-rule list --resource-group <resource-group> --server <server-name>

3. Review rules and ensure no open access. Also verify public network access is disabled or restricted.

Implementation Plan

Using Azure Portal:

  1. Navigate to the resource’s Networking or Firewall settings.

  2. Set the Default Action or Network Rule Set default to Deny.

  3. Add explicit allow rules only for trusted IP addresses or virtual networks as needed.

  4. Save and validate connectivity for authorized clients.

Using Azure CLI:

Update the Storage Account to deny all unspecified network traffic:
az storage account update --name <storage-account-name> --resource-group <resource-group> --default-action Deny

Configure or review SQL Server firewall rules, ensuring only authorized IPs are allowed and public access is restricted:
az sql server firewall-rule create --resource-group <resource-group> --server <server-name> --name <rule-name> --start-ip-address <start-ip> --end-ip-address <end-ip>

Disable public network access if applicable:
az sql server update --name <server-name> --resource-group <resource-group> --public-network-access Disabled


Backout Plan

Using Azure Portal:

  1. Revert the default action to Allow or previous configuration to restore access.

  2. Notify stakeholders of the change and monitor for impact.

Using Azure CLI:

1. Change default action back to allow:

az storage account update --name <storage-account-name> --resource-group <resource-group> --default-action Allow

2. Modify firewall rules to re-allow broader access if necessary.

3. Re-enable public network access if previously disabled.

References: