iCompaas Support

Profile Applicability:
 Level 1

Description:
 Disabling public network access on Azure Recovery Services Vaults restricts access to the vault exclusively through private networks or trusted virtual networks. This prevents the vault from being accessible over the public internet, reducing the risk of unauthorized access and data exposure.

Rationale:
 Allowing public network access increases the attack surface and can expose backup vaults to threats from the internet. Disabling it enforces strict network boundaries, ensuring only authorized traffic within private networks can access backup data, thus improving security and compliance.

Impact:

• Pros:
  

  • Reduces exposure to external threats by blocking public internet access.
    

  • Supports compliance with organizational and regulatory network security policies.
    

  • Encourages use of secure private connectivity like Azure Private Link.
    

• Cons:
  

  • May require application and service reconfiguration to use private endpoints.
    

  • Could disrupt existing workflows that rely on public endpoints if not planned properly.
    

Default Value:
 Public network access is typically enabled by default on Recovery Services Vaults.

Pre-requisites:

• Azure permissions to modify vault network and firewall settings.
  

• Knowledge of existing network architecture and dependencies.
  

Remediation

Test Plan:

Using Azure Portal:

1. Go to https://portal.azure.com.
   

2. Navigate to Recovery Services Vaults and select the target vault.
   

3. Under Networking or Firewalls and virtual networks, check the Public network access setting.
   

4. Verify that public access is set to Disabled or restricted to selected networks only.
   

Using Azure CLI:

1. Check public network access status:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.publicNetworkAccess

2. Confirm the output is Disabled.

Implementation Plan

Using Azure Portal:

1. Navigate to the vault’s Networking or Firewall settings.
   

2. Set Public network access to Disabled or restrict to selected virtual networks.
   

3. Save and verify the change.
   

Using Azure CLI:

1. Disable public network access:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.publicNetworkAccess=Disabled

2. Confirm the update.

Backout Plan

Using Azure Portal:

1. Re-enable public network access if necessary by changing settings to Enabled or All networks.
   

2. Notify affected teams and monitor.
   

Using Azure CLI:

1. Enable public network access:

az backup vault update --name <vault-name> --resource-group <resource-group> --set properties.publicNetworkAccess=Enabled

References:

• Azure Recovery Services Vault Network Security
  

• Control Public Network Access to Azure Resources