Objective
Add a new scanner rule to detect Virtual Networks that do not have an Azure Firewall deployed.
Background
A VNet without an Azure Firewall relies solely on Network Security Groups for perimeter defence. NSGs provide no deep packet inspection, threat intelligence filtering, or centralised traffic logging. This leaves the network vulnerable to lateral movement and data exfiltration that appears legitimate at the port level.
Real-World Breach Scenario
Attackers who bypass NSG rules have no secondary inspection layer to stop them. Without Azure Firewall, malicious outbound traffic such as data exfiltration or C2 communication cannot be detected or blocked at the network perimeter.
Compliance Mapping
- CIS Azure Benchmark: 6.4
- NIST CSF: PR.AC-5
- ISO 27001: A.13.1.1
- SOC 2: CC6.6
Deliverables
Severity
HIGH
Category
Network
Objective
Add a new scanner rule to detect Virtual Networks that do not have an Azure Firewall deployed.
Background
A VNet without an Azure Firewall relies solely on Network Security Groups for perimeter defence. NSGs provide no deep packet inspection, threat intelligence filtering, or centralised traffic logging. This leaves the network vulnerable to lateral movement and data exfiltration that appears legitimate at the port level.
Real-World Breach Scenario
Attackers who bypass NSG rules have no secondary inspection layer to stop them. Without Azure Firewall, malicious outbound traffic such as data exfiltration or C2 communication cannot be detected or blocked at the network perimeter.
Compliance Mapping
Deliverables
scanner/rules/az_net_013.py— scan() function using Azure SDKplaybooks/cli/fix_az_net_013.sh— deploy Azure Firewall guidancecompliance/frameworks/cis_azure_benchmark.json— add AZ-NET-013 entrycompliance/frameworks/nist_csf.json— add AZ-NET-013 entrycompliance/frameworks/iso27001.json— add AZ-NET-013 entrycompliance/frameworks/soc2.json— add AZ-NET-013 entrySeverity
HIGH
Category
Network