Blog Post

Core Infrastructure and Security Blog
2 MIN READ

Network Security Group Monitoring

bwatts670's avatar
bwatts670
Icon for Microsoft rankMicrosoft
Feb 03, 2021

 

Intro

Brad Watts here to explore monitoring of your Network Security Groups (NSGs). I was approached recently by a customer wanting to better understand changes being made to the many NSGs in their environment. Working with them, we came up with an Azure Workbook that provides a centralized view of both current settings on your NSGs along with any changes that have been made. 

 

Sneek Peak 

Before we jump into implementation let’s look at the result. Our Workbook has two tabs. The first tab is “Current Settings” and uses Azure Resource Graph to pull in current NSG settings.  

 

 

On the “Audit Settings” tab we are focusing on the changes made to NSGs 

 

If you select one of the changes from the “NSG Changes” table, it will show you what NIC/Subnet it’s connected to along with all the changes over the last 90 days. 

 

Prerequisites 

If your interested in implementing this Workbook you need to be aware of a few requirements: 

  • Whoever is using the Workbook will need at least read access to the NSGs they are wanting to monitor. This is because we are using Azure Resource Graph to pull this information. 
  • For the “Audit Change” tab to work you need to send you’re Azure Activity Logs to a Log Analytics Workspace. 

Azure Activity log - Azure Monitor | Microsoft Docs 

 

  • Whoever is using the Workbook will need to be able to read the data in the Log Analytics workspace that you sent the Azure Activity Logs to. 

Implementing 

Hopefully, everyone is still interested and want to take a look at this in your environment. Well lets walk through importing the workbook! 

 

Step 1: Get the Workbook 

You can find a copy of this workbook in my Github repo. You just need to copy the content of this JSON file to import it. 

 

https://raw.githubusercontent.com/bwatts64/AzureMonitor/master/Workbooks/NSGWorkbook.json 

 

Step 2: Create a Workbook 

In the Azure Portal bring up Azure Monitor by searching for Monitor 

 

In Azure Monitor select the “Workbook” tab and choose “New” 

 

This will open a Workbook in Edit mode. Do to the “Advanced Editor” (</>) 

 

 In the “Advanced Editor” paste the content of the JSON file from my GitHub repo and click on “Apply” 

 

That’s it. You know have the Workbook to test in your environment. Make sure you “Save” the workbook and also click on the “Done Editing” to get the full experience. 

Summary 

Being able to easily visualize both you’re current NSGs along with any changes made to them over time is essential for anyone managing NSGs in Azure. In this solution we are using an Azure Workbook along with Log Analytics and Azure Resource Graph to give you that centralized view. I hope this makes your life easier and please suggest improvements to the Workbook. I always consider these things works in progress! A similar Workbook for Azure Firewalls is in progress. 

Updated Feb 03, 2021
Version 2.0
  • cgoenka's avatar
    cgoenka
    Copper Contributor

    Great workbook! Quick question in Current settings if a sub has more than 300+ NSGs will the RG query still work as it did not work for me for one sub and even for all subs when I select it throws me query invalid error.

  • cgoenka, I'm not sure to be honest. I wouldn't think it should through a invalid query so my guess is something else is going on that I didn't consider! If you want run the following query in Resource Graph Explorer to just verify the query works in your environment!

     

    Resources
    | where type =~ 'Microsoft.Network/networkSecurityGroups'
    //| where id in~ ({selectedNSG})
    | project name, id,location, resourceGroup, NetworkInterfaces=properties.networkInterfaces,Subnets=properties.subnets, SecurityRules=properties.defaultSecurityRules,subscriptionId
    | mvexpand SecurityRules
    | union (Resources
    | where type =~ 'Microsoft.Network/networkSecurityGroups'
    //| where id in~ ({selectedNSG})
    | project name, id,location, resourceGroup, NetworkInterfaces=properties.networkInterfaces,Subnets=properties.subnets, SecurityRules=properties.securityRules,subscriptionId
    | mvexpand SecurityRules)
    | join kind=leftouter (ResourceContainers
    | where type == "microsoft.resources/subscriptions"
    ) on $left.subscriptionId==$right.subscriptionId
    | extend Protocol=SecurityRules.properties.protocol,DestinationAddressPrefix=iff(SecurityRules.properties.destinationAddressPrefix=='[]',SecurityRules.properties.destinationAddressPrefixes,SecurityRules.properties.destinationAddressPrefix),destinationPortRanges=iif(SecurityRules.properties.destinationPortRanges=='[]',SecurityRules.properties.destinationPortRange,SecurityRules.properties.destinationPortRanges),SourceAddressPrefix=iif(SecurityRules.properties.sourceAddressPrefix=='[]',SecurityRules.properties.sourceAddressPrefixes,SecurityRules.properties.sourceAddressPrefix),sourcePortRanges=iif(SecurityRules.properties.sourcePortRanges=='[]',SecurityRules.properties.sourcePortRange,SecurityRules.properties.sourcePortRanges),Direction=tostring(SecurityRules.properties.direction),Priority=toint(SecurityRules.properties.priority),Access=SecurityRules.properties.access
    | project Internet=iif((tostring(Direction) == 'Inbound' and tostring(SourceAddressPrefix) in ('Internet','*') and tostring(Access)=="Allow"),1,0),NSG=name, Rule=SecurityRules.name, Subscription=name1,ResourceGroup=resourceGroup,Protocol,DestinationAddressPrefix,destinationPortRanges,SourceAddressPrefix,sourcePortRanges,Direction,Priority,Access,NetworkInterfaces,Subnets
    //| where tostring(Direction) =~ "{Direction}" or 'Both' =~ '{Direction}'
    | order by NSG, Direction, Priority asc
  • cgoenka could you try just selecting a couple NSGs and see if the workbook renders it correctly. I'm thinking that it could possibly be the below part of the query. In the workbook it's not commented. If we verify that's the cause I'll look at a different way to filter it.

    //| where id in~ ({selectedNSG})

     

  • parneson's avatar
    parneson
    Copper Contributor

    Hello bwatts670
    I am getting hung up on the creation of the 'diagnostic setting' does this have to be performed per NSG? In order to send the 'Activity Logs' to the 'Log Analytics Workspace'? 

    What about new NSG's? Does this have to be performed every time an NSG is created?

    Thanks!

    Edit:
    I figured out I just didn't read far enough. You can create a policy to create diagnostic settings for each NSG as they are created, with a remediation task which will go back and apply the policy to all existing assets. 
    https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD

     

  • Aragorn's avatar
    Aragorn
    Iron Contributor

    I cant save, getting this error, any ideas?

    Details
    The blade Extension/AppInsightsExtension/Blade/UsageNotebookBlade failed to supply all the required parameters. The missing the required parameter(s) 'subscriptionId'.