Overview
Creating Resources in Azure is so simple for IT teams these days but finding all the public endpoints that could be visible to the internet can be challenging. Why do I need to understand which IP's are exposed to the internet? Without a proper understanding of which Public IPs are available to the internet we cannot fully secure or protect our resources. In this article we will look at using the Azure Native Graph Explorer solution to query not only Virtual Machine Public IP Addresses but other resources containing IP addresses in our Azure Tenant.
The Method
Using Resource Graph Explorer we can see there is already a pre-built query called "List all public IP addresses".
looking at the results we can see this supplies us with the public IP addresses from "Resources" that has a type that contains 'publicIPAddresses'.
but what if a resource does not contain the type 'publicIPAddresses' ? Examples of resources could be Local Network Gateways, Virtual Network Gateways, Web Sites and many others.
That is where the power of Resource Graph Explorer comes in. We can use Regex to expand our queries to look through all properties of all resources and identify IP Addresses.
The query to identify anything that looks like an IP could look like this:
resources
| where properties matches regex @'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
|project name, type, location, resourceGroup, subscriptionId, properties
and our results will look something like this:
This is a great start, we can search anything that looks like an IP address. But this means we are also including our private IP Ranges like 10.0.0.0
We can also streamline the Regex query by using two websites
1. IP Range Regular Expression Builder - AnalyticsMarket
This website allows you to build regex expressions by entering the required IP Addresses.
For this example I will use the range 100.0.0.0 - 255.255.255.255
2. regex101: build, test, and debug regex
This website analyzes your regex query and allows you to test it on a string.
Now that we have our new range, we can make a small modification to our original Resource Graph Query.
resources
| where properties matches regex @'[12]\d\d(\.([1-9]?\d|[12]\d\d)){3}'
|project name, type, location, resourceGroup, subscriptionId, properties
and it will return only IP Addresses in our chosen range from
With this information now retrieved we need to ask the question, "Do we need publicly accessible endpoints for these resources?". If we do then we need to secure these resources according to the best practices in the Azure Security Benchmark, if we don't then they can be removed and replaced with items like Private Endpoints, Private Link, Azure Bastion... and others.
I hope this query can help you further explore and secure Azure resources that have Public IP addresses.
Take Note: Although this query provides more information by looking at every resource type that contains an IP Address in its Properties, some resources like Storage Accounts, Key Vaults etc that does not have an IP in its properties could still be exposed to the internet and needs to be investigated.
More Resources
Quickstart: Your first portal query - Azure Resource Graph | Microsoft Docs
Azure Resource Graph: From beginner to expert (microsoft.com)
Azure Security Benchmark overview | Microsoft Docs
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Updated Feb 14, 2022
Version 2.0wernerrall
Microsoft
Joined January 31, 2020
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity