As a best practice its generally advised to always have a network security group associated with a subnet which will ensure all resources in the subnet have the capability to be protected with layer 4 access control rules. Specific to virtual machines if you plan on using Defender for Servers Just-in-time virtual machine access a network security group is required.
Defender for Cloud can help surface virtual machines that do not have network security groups associated with them. This recommendation also helps comply with regulatory and industry standards requirements such as FedRAMP, NIST, CIS, and CMMC.
Quick jump to the logic app solution > Enable a Network Security Group on a Subnet
There are two recommendations that relate to this insight, one for internet facing machines and another for non-internet facing machines.
- Non-internet-facing virtual machines should be protected with network security groups
- Internet-facing virtual machines should be protected with network security groups
To provide a better proactive approach we can respond to these recommendations automatically with Defender for Cloud’s workflow automation capabilities using a logic app I have written, Enable a Network Security Group on a Subnet. This logic app will create a network security group and associate it to the subnet where the virtual machine resides.
Requirements
- Resource Group Contributor rights to deploy the ARM Template
- The Logic App uses a system-assigned Managed Identity. You will need to assign the Network Contributor and Reader role to applicable subscriptions to create and associate network security groups.
Expected Impact
There is no expected impact that will occur on existing resources when the network security group is created and associated with an existing subnets. The NSG created will only have the default network security group rules.
Please test appropriately.
Deployment
You can deploy the main template by clicking on the button below:
- After you have deployed the logic app assign the system managed identity the following roles
- Network Contributor
- Reader
- Create a new Workflow Automation in Defender for Cloud
- Trigger Conditions
- Defender for Cloud data type: Recommendation
- Recommendation name: Non-internet-facing virtual machines should be protected with network security groups and Internet-facing virtual machines should be protected with network security groups
- Recommendation State: Unhealthy
- Trigger Conditions
Configuration Options
Network Security Group Name
The logic app leverages the parameter defaultNSGName which is used as the nsg name during creation. By default this is set to “default-nsg-” and appended with the subnet name during creation.
default-nsg-<subnet name>
Default Rules
By default the network security group created will only have the default network security group rules. If desired you can modify the logic app to include deny or allow rules during creation.
- From the Logic app > Log app designer select Parameters
- Update the securityRules parameters with properly formatted json
- See examples
- Click Save