Network Security Group Rule Audit (Azure)

Question

I wondered if anyone has found a way to audit network security groups in Azure, other than trawl through them all in the Azure UI. I have managed to extract info as json, but still its not terribly easy to decipher as its nested quite deeply. Im looking for NSG's with default any/any rules and other poorly applied rules.

We have several hundred Network Security Groups (to give context).

Anyone have any views how best to go about this?

Answer 1

Depending on what you would like to audit in your NSG security rules, the Azure Resource Graph may be more friendly than exporting the the JSON and parsing. It can be called via the REST API, for example from a Logic App, for regular audits.

A simple query for NSGs with security rules allowing traffic to port 22 is below:

az graph query -q "where type == 'microsoft.network/networksecuritygroups' | extend rules = properties.securityRules | mv-expand rules | where rules.properties.destinationPortRanges contains '22' | summarize count() by id" 

Another approach to consider would be to use Azure Policy to audit security rules for specific exceptions.

Lastly, if you are more interested in monitoring changes made to your NSGs than specific exceptions, the Resource Change History feature may be what you are looking for. You can target specific resources and review changes over a time window. Doing so would require some automation on your part, calling the Rest API, etc. See: https://docs.microsoft.com/en-us/azure/governance/resource-graph/how-to/get-resource-changes