Skip to main content

azure_network_security_group resource

Use the azure_network_security_group InSpec audit resource to test the properties of an Azure Network Security group.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_network_security_group resource block identifies a Network Security group by name and resource_group, or the resource_id.

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should exist }
end

describe azure_network_security_group(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}') do
  it { should exist }
end

Parameters

resource_group
Azure resource group where the targeted resource resides.
name
Name of the Azure resource to test.
resource_id
The unique resource ID. /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}.
resource_data
In-memory cached Azure Network Security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the resource_data parameter could be stale. It is the user’s responsibility to refresh the data.

Provide one of the following parameter sets for a valid query:

  • resource_id
  • resource_group and name
  • resource_data

Properties

security_rules
The set of security rules.
default_security_rules
The set of default security rules.
allow_ssh_from_internet<superscript>*</superscript>
A boolean value determined by analysing the security rules and default security rules for unrestricted SSH access. it { should_not allow_ssh_from_internet }.
allow_rdp_from_internet<superscript>*</superscript>
A boolean value determined by analysing the security rules and default security rules for unrestricted RDP access. it { should_not allow_rdp_from_internet }.
allow_port_from_internet<superscript>*</superscript>
A boolean value determined by analysing the security rules and default security rules for unrestricted access to a specified port. it { should_not allow_port_from_internet('443') }.
allow?<superscript>**</superscript>
Indicates if a provided criteria is complaint with the security rules including the default ones. it { should allow(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }.
allowed?<superscript>**</superscript>
Alias for allow?. it { should be_allowed(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }.
allow_in?<superscript>**</superscript>
Indicates if a provided criteria is complaint with the inbound security rules including the default ones. it { should_not allow_in(service_tag: 'Internet') }.
allowed_in?<superscript>**</superscript>
Alias for allow_in?. it { should_not be_allowed_in(service_tag: 'Internet') }.
allow_out?<superscript>**</superscript>
Indicates if a provided criteria is complaint with the outbound security rules including the default ones. it { should_not allow_out(service_tag: 'Internet') }.
allowed_out?<superscript>**</superscript>
Alias for allow_out?. it { should_not be_allowed_out(service_tag: 'Internet') }.

* These properties do not take the priorities of security rules into account. For example, if suppose there are two security rules. In that case, one of them is allowing SSH from the internet while the other is prohibiting, allow_ssh_from_internet will pass without comparing the priority of the conflicting security rules. Therefore, it is recommended to use allow, allow_in, or allow_out properties with which the priorities are considered.

** These properties do not compare criteria defined by explicit IP ranges with the security rules defined by Azure service tags and vice versa.

For example, providing that a network security group has a single security rule allowing all traffic from the internet by using Internet service tag in the source will fail the allow_in(ip_range: '64.233.160.0') test due to incompatible source definitions. This is because the InSpec Azure resource pack has no control over which IP ranges are defined in Azure service tags. Therefore, tests using these methods should be written explicitly for service tags and IP ranges. For more information about network security groups and security rules, see the Azure network security groups documentation.

*ip_range used in these methods supports IPv4 and IPv6. The IP range criteria should be written in CIDR notation.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

Also, see the Azure documentation for other available properties. Any property in the response may be accessed with the key names separated by dots (.).

Examples

Test that a resource group has the specified Network Security group:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should exist }
end

Test that a Network Security group allows SSH from the internet:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should allow_ssh_from_internet }
end

Test that a Network Security group allows inbound traffics from a certain IP range in any port and protocol:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should allow(source_ip_range: '10.0.0.0/24', direction: 'inbound') }
end

Test that a Network Security group allows inbound traffics from internet service tag in port 80 and TCP protocol:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should allow(source_service_tag: 'Internet', destination_port: '22', protocol: 'TCP', direction: 'inbound') }
end

Test that a Network Security group allows inbound traffics from virtual network service tag in a port range and protocol:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should allow(source_service_tag: 'VirtualNetwork', destination_port: %w{22 8080 56-78}, direction: 'inbound') }
end

Test that a Network Security group allows outbound traffics to a certain IP range in any port and protocol:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should allow(destination_ip_range: '10.0.0.0/24', direction: 'outbound') }
end

Loop through multiple Network Security groups and verify that each group does not allow inbound traffic from already cached data:

azure_network_security_groups.entries.each do |azure_network_security_group_data|
  describe azure_network_security_group(resource_data: azure_network_security_group_data) do
    it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') }
  end
end

Note

allow requires the direction parameter to be set to inbound or outbound and you must prefix the ip_range, service_tag, and port with source_ or destination_ identifiers.

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exists

The control passes if the resource returns a result. Use should_not if you expect zero matches.

# If we expect 'GROUPNAME' to always exist.

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should exist }
end

not_exists

# If we expect 'EMPTYGROUPNAME' to never exist.

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should_not exist }
end

Test that a Network Security group should not allow UDP from the internet:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  it { should_not allow_udp_from_internet }
end

Validating Number of days to retain flow log records:

describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
  its('flow_log_retention_period') { should eq 0 }
end

Azure permissions

Your Service Principal must be set up with at least a reader role on the subscription you wish to test.

Thank you for your feedback!

×