Skip to content

feat: AZ-NET-013 Azure Firewall not enabled on Virtual Network#92

Open
aav-wh wants to merge 2 commits into
openshield-org:devfrom
aav-wh:feat/az-net-013
Open

feat: AZ-NET-013 Azure Firewall not enabled on Virtual Network#92
aav-wh wants to merge 2 commits into
openshield-org:devfrom
aav-wh:feat/az-net-013

Conversation

@aav-wh
Copy link
Copy Markdown
Contributor

@aav-wh aav-wh commented May 30, 2026

Summary

Adds a new HIGH severity scanner rule to detect Virtual Networks that do not have an Azure Firewall deployed.

Changes

  • scanner/rules/az_net_013.py — scan rule detecting VNets without Azure Firewall
  • playbooks/cli/fix_az_net_013.sh — remediation playbook to deploy Azure Firewall
  • scanner/azure_client.py — added get_azure_firewalls() method
  • Updated CIS, NIST CSF, ISO 27001, SOC 2 compliance JSON files

Why

A VNet without Azure Firewall relies solely on NSGs for perimeter defence. NSGs provide no deep packet inspection, threat intelligence filtering, or centralised traffic logging, leaving the network vulnerable to lateral movement and data exfiltration.

Compliance

  • CIS: 6.4
  • NIST CSF: PR.AC-5
  • ISO 27001: A.13.1.1
  • SOC 2: CC6.6

Closes #91

@aav-wh
feat: add AZ-NET-013 Azure Firewall not enabled on Virtual Network
9cac326 
- Add scanner/rules/az_net_013.py to detect VNets without Azure Firewall
- Add playbooks/cli/fix_az_net_013.sh for remediation
- Add get_azure_firewalls() method to scanner/azure_client.py
- Update CIS, ISO 27001, NIST CSF, SOC 2 compliance mappings

Severity: HIGH | Category: Network
Closes openshield-org#91
Vishnu2707
Vishnu2707 previously approved these changes May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Vishnu2707 Vishnu2707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. get_azure_firewalls() scoped to resource group and follows the client pattern. One logical gap worth a follow-up issue: the scan flags a VNet if its own resource group has no firewall, but a hub-spoke setup could have the firewall in a separate resource group, this will produce false positives. Not blocking for now but worth tracking @aav-wh

@Vishnu2707
Copy link
Copy Markdown
Member

Vishnu2707 commented May 30, 2026

Resolved the conflicts!

@Vishnu2707
Copy link
Copy Markdown
Member

Vishnu2707 commented May 30, 2026

CI is failing, all 4 compliance JSONs have invalid JSON at the merge conflict resolution. Looks like the conflict markers weren't cleaned up properly, missing a comma delimiter around line 170 in cis, nist, iso27001 and line 165 in soc2. Fix the JSON syntax in those files and push again @aav-wh

Vishnu2707
Vishnu2707 requested changes May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Vishnu2707 Vishnu2707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is failing all 4 compliance JSONs have invalid JSON at the merge conflict resolution. Looks like the conflict markers weren't cleaned up properly, missing a comma delimiter around line 170 in cis, nist, iso27001 and line 165 in soc2. Fix the JSON syntax in those files and push again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vishnu2707 Vishnu2707 Vishnu2707 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@aav-wh aav-wh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aav-wh @Vishnu2707