Network-25535 : Outbound traffic from VNET integrated workloads is routed through Azure Firewall #746
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for network traffic flowing between application workloads and external destinations. Routing outbound traffic through Azure Firewall enables organizations to apply consistent security controls such as threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement. In a secure network architecture, outbound traffic from workloads hosted in Azure virtual networks should be explicitly routed through Azure Firewall before reaching the internet or external services. VNET integrated workloads include VMs, AKS Node Pools, AKS Pods, App Service (VNet Integration Route All), Functions in VNet. This is typically achieved by configuring routing so that outbound traffic from workload subnets uses Azure Firewall as the next hop. Without this routing in place, outbound traffic may bypass the firewall entirely, reducing visibility and allowing traffic to leave the environment without inspection or policy enforcement.This check verifies that outbound traffic from in-scope workloads is routed through Azure Firewall by validating that the effective network routes direct outbound traffic to the firewall’s private IP address. If outbound traffic is not routed through Azure Firewall, the check fails because traffic may bypass centralized security controls, increasing the risk of data exfiltration, command-and-control communication, and undetected malicious activity. | ||
|
|
||
| **Remediation action** | ||
|
|
||
| - [Deploy and configure Azure Firewall using the Azure portal](https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal#configure-routing) | ||
| - [Control outbound traffic with Azure Firewall ](https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall) | ||
|
|
||
| <!--- Results ---> | ||
| %TestResult% | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,317 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Test to check if outbound traffic from VNET integrated workloads is routed through Azure Firewall | ||
|
|
||
| .NOTES | ||
| Some Azure Firewall documentation links may return 404 errors. | ||
| This test uses the Azure REST API version 2025-03-01. | ||
| #> | ||
|
|
||
| function Test-Assessment-25535 { | ||
| [ZtTest( | ||
| Category = 'Azure Network Security', | ||
| ImplementationCost = 'Medium', | ||
| MinimumLicense = ('Azure_Firewall_Basic', 'Azure_Firewall_Standard', 'Azure_Firewall_Premium'), | ||
| Pillar = 'Network', | ||
| RiskLevel = 'High', | ||
| SfiPillar = 'Protect networks', | ||
| TenantType = ('Workforce', 'External'), | ||
| TestId = 25535, | ||
| Title = 'Outbound traffic from VNET integrated workloads is routed through Azure Firewall', | ||
| UserImpact = 'Low' | ||
| )] | ||
| [CmdletBinding()] | ||
| param() | ||
|
|
||
| Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose | ||
|
|
||
| if ((Get-MgContext).Environment -ne 'Global') { | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Write-PSFMessage "This test is only applicable to the Global environment." -Tag Test -Level VeryVerbose | ||
| return | ||
| } | ||
|
|
||
| #region Data Collection | ||
| try { | ||
| $accessToken = Get-AzAccessToken -AsSecureString -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | ||
| } | ||
| catch { | ||
| Write-PSFMessage $_.Exception.Message -Tag Test -Level Error | ||
| } | ||
|
|
||
| if (-not $accessToken) { | ||
| Write-PSFMessage "Azure authentication token not found." -Tag Test -Level Warning | ||
| Add-ZtTestResultDetail -SkippedBecause NoAzureAccess | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| return | ||
| } | ||
|
|
||
| # Query 1: List all subscriptions | ||
| $subscriptions = Get-AzSubscription | ||
|
|
||
| $firewalls = @() | ||
| $nicFindings = @() | ||
|
|
||
| foreach ($sub in $subscriptions) { | ||
|
|
||
| Set-AzContext -SubscriptionId $sub.Id | Out-Null | ||
| $subId = $sub.Id | ||
|
|
||
| # Query 2: List Azure Firewalls | ||
| $fwListUri = "/subscriptions/$subId/providers/Microsoft.Network/azureFirewalls?api-version=2025-03-01" | ||
|
|
||
| try { | ||
| $fwResp = Invoke-AzRestMethod -Path $fwListUri -Method GET | ||
| } | ||
| catch { | ||
| Write-PSFMessage "Unable to list Azure Firewalls in subscription $($sub.Name)." -Tag Test -Level Warning | ||
| continue | ||
| } | ||
|
|
||
| $fwItems = ($fwResp.Content | ConvertFrom-Json).value | ||
| if (-not $fwItems) { continue } | ||
|
|
||
| # Query 3: Get Firewall Details (resolve private IPs) | ||
| foreach ($fw in $fwItems) { | ||
|
|
||
| $fwDetailUri = "$($fw.id)?api-version=2025-03-01" | ||
|
|
||
| try { | ||
| $fwDetailResp = Invoke-AzRestMethod -Path $fwDetailUri -Method GET | ||
| $fwDetail = $fwDetailResp.Content | ConvertFrom-Json | ||
| } | ||
| catch { continue } | ||
|
|
||
| foreach ($ipconfig in $fwDetail.properties.ipConfigurations) { | ||
| if ($ipconfig.properties.privateIPAddress) { | ||
| $firewalls += [PSCustomObject]@{ | ||
| FirewallName = $fwDetail.name | ||
| FirewallId = $fwDetail.id | ||
| PrivateIP = $ipconfig.properties.privateIPAddress | ||
| SubscriptionId = $subId | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if ($firewalls.Count -eq 0) { continue } | ||
|
|
||
| # Query 4: List NICs | ||
| $nicListUri = "/subscriptions/$subId/providers/Microsoft.Network/networkInterfaces?api-version=2025-03-01" | ||
|
|
||
| try { | ||
| $nicResp = Invoke-AzRestMethod -Path $nicListUri -Method GET | ||
| } | ||
| catch { | ||
| Write-PSFMessage "Unable to list network interfaces in subscription $($sub.Name)." -Tag Test -Level Warning | ||
| continue | ||
| } | ||
|
|
||
| $nics = ($nicResp.Content | ConvertFrom-Json).value | ||
|
|
||
| # Query 5: Stage 1 - Launch all async effectiveRouteTable requests | ||
| $asyncOperations = @() | ||
|
|
||
| foreach ($nic in $nics) { | ||
| foreach ($ipconfig in $nic.properties.ipConfigurations) { | ||
|
|
||
| if (-not $ipconfig.properties.subnet?.id) { continue } | ||
|
|
||
| $subnetId = $ipconfig.properties.subnet.id | ||
| if ($subnetId -match 'AzureFirewallSubnet|GatewaySubnet|AzureBastionSubnet') { | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| continue | ||
| } | ||
|
|
||
| $rg = ($nic.id -split '/')[4] | ||
| $nicName = $nic.name | ||
|
|
||
| $ertUri = "/subscriptions/$subId/resourceGroups/$rg/providers/Microsoft.Network/networkInterfaces/$nicName/effectiveRouteTable?api-version=2025-03-01" | ||
|
|
||
| try { | ||
| $ertStart = Invoke-AzRestMethod -Path $ertUri -Method POST | ||
| $operationUri = $ertStart.Headers.Location[0] | ||
|
|
||
| $retryAfter = if ($ertStart.Headers.'Retry-After') { | ||
| [int]$ertStart.Headers.'Retry-After'[0] | ||
| } else { 5 } | ||
|
|
||
| $asyncOperations += @{ | ||
| OperationUri = $operationUri | ||
| Nic = $nic | ||
| RetryAfter = $retryAfter | ||
| Timestamp = Get-Date | ||
| SubnetId = $subnetId | ||
| SubscriptionId = $sub.Id | ||
| SubscriptionName = $sub.Name | ||
| } | ||
| } | ||
| catch { | ||
| Write-PSFMessage "Failed to initiate effectiveRouteTable request for NIC $nicName : $($_.Exception.Message)" -Tag Test -Level Warning | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if ($asyncOperations.Count -eq 0) { continue } | ||
|
|
||
| Write-PSFMessage "Launched $($asyncOperations.Count) async effectiveRouteTable requests for subscription $($sub.Name)" -Tag Test -Level Verbose | ||
|
|
||
| # Query 5: Stage 2 - Poll all operations in parallel | ||
| $completedOperations = @() | ||
| $maxRetries = 120 # ~10 minutes with 5 second intervals | ||
|
|
||
| do { | ||
| $stillPending = @() | ||
|
|
||
| foreach ($op in $asyncOperations) { | ||
| if ($op.Completed) { | ||
| $completedOperations += $op | ||
| continue | ||
| } | ||
|
|
||
| try { | ||
| $ertPoll = Invoke-AzRestMethod -Uri $op.OperationUri -Method GET | ||
|
|
||
| if ($ertPoll.StatusCode -ne 202) { | ||
| $op.Routes = ($ertPoll.Content | ConvertFrom-Json).value | ||
| $op.Completed = $true | ||
| $completedOperations += $op | ||
| } else { | ||
| $stillPending += $op | ||
| } | ||
| } | ||
| catch { | ||
| Write-PSFMessage "Error polling operation for NIC $($op.Nic.name) : $($_.Exception.Message)" -Tag Test -Level Warning | ||
| $op.Completed = $true | ||
| $op.Error = $true | ||
| $completedOperations += $op | ||
| } | ||
| } | ||
|
|
||
| $asyncOperations = $stillPending | ||
|
|
||
| if ($asyncOperations.Count -gt 0) { | ||
| $maxRetries-- | ||
| if ($maxRetries -le 0) { | ||
| Write-PSFMessage "Timeout polling effectiveRouteTable operations. Processing $($asyncOperations.Count) incomplete operations." -Tag Test -Level Warning | ||
| $completedOperations += $asyncOperations | ||
| break | ||
| } | ||
|
|
||
| $retryAfter = ($asyncOperations | Select-Object -First 1).RetryAfter | ||
| Write-PSFMessage "Polling $($asyncOperations.Count) pending operations..." -Tag Test -Level Verbose | ||
| Start-Sleep -Seconds $retryAfter | ||
| } | ||
|
|
||
| } while ($asyncOperations.Count -gt 0) | ||
|
|
||
| # Query 5: Stage 3 - Process completed operations | ||
| foreach ($op in $completedOperations) { | ||
| if ($op.Error -or -not $op.Routes) { | ||
| $nicFindings += [PSCustomObject]@{ | ||
| NicName = $op.Nic.name | ||
| NicId = $op.Nic.id | ||
| NextHopType = 'Unknown' | ||
| NextHopIp = '' | ||
| IsCompliant = $false | ||
| SubscriptionId = $op.SubscriptionId | ||
| SubscriptionName = $op.SubscriptionName | ||
| SubnetId = $op.SubnetId | ||
| FirewallPrivateIp = 'N/A' | ||
| NextHopIpAddress = '' | ||
| } | ||
| continue | ||
| } | ||
|
|
||
| $defaultRoute = $op.Routes | Where-Object { | ||
| $_.state -eq 'Active' -and | ||
| $_.source -eq 'User' -and | ||
| ($_.addressPrefix -contains '0.0.0.0/0') | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | Select-Object -First 1 | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| if (-not $defaultRoute) { | ||
| $nicFindings += [PSCustomObject]@{ | ||
| NicName = $op.Nic.name | ||
| NicId = $op.Nic.id | ||
| NextHopType = 'Internet' | ||
| NextHopIp = '' | ||
| IsCompliant = $false | ||
| SubscriptionId = $op.SubscriptionId | ||
| SubscriptionName = $op.SubscriptionName | ||
| SubnetId = $op.SubnetId | ||
| FirewallPrivateIp = 'N/A' | ||
| NextHopIpAddress = '' | ||
| } | ||
| continue | ||
| } | ||
|
|
||
| $fwMatch = $firewalls | Where-Object { | ||
| # Handle nextHopIpAddress being either a string or an array | ||
| $nextHop = $defaultRoute.nextHopIpAddress | ||
| ( ($nextHop -eq $_.PrivateIP) -or ($nextHop -contains $_.PrivateIP) ) | ||
| } | Select-Object -First 1 | ||
|
|
||
| $nicFindings += [PSCustomObject]@{ | ||
| FirewallName = if ($fwMatch) { $fwMatch.FirewallName } else { 'N/A' } | ||
| FirewallId = if ($fwMatch) { $fwMatch.FirewallId } else { 'N/A' } | ||
| FirewallPrivateIp = if ($fwMatch) { $fwMatch.PrivateIP } else { 'N/A' } | ||
| NicName = $op.Nic.name | ||
| NicId = $op.Nic.id | ||
| RouteSource = $defaultRoute.source | ||
| RouteState = $defaultRoute.state | ||
| AddressPrefix = ($defaultRoute.addressPrefix -join ',') | ||
| NextHopType = $defaultRoute.nextHopType | ||
| NextHopIpAddress = ($defaultRoute.nextHopIpAddress -join ',') | ||
| IsCompliant = ($fwMatch -ne $null) | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| SubscriptionId = $op.SubscriptionId | ||
| SubscriptionName = $op.SubscriptionName | ||
| SubnetId = $op.SubnetId | ||
| } | ||
| } | ||
| } | ||
| #endregion Data Collection | ||
|
|
||
| #region Assessment Logic | ||
| if ($nicFindings.Count -eq 0) { | ||
| Add-ZtTestResultDetail -SkippedBecause NoResults | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| return | ||
| } | ||
|
|
||
| $passed = ($nicFindings | Where-Object { -not $_.IsCompliant }).Count -eq 0 | ||
|
|
||
| $testResultMarkdown = if ($passed) { | ||
| "Outbound traffic is routed through Azure Firewall.`n`n%TestResult%" | ||
| } else { | ||
| "Outbound traffic is not routed through Azure Firewall.`n`n%TestResult%" | ||
| } | ||
| #endregion Assessment Logic | ||
|
|
||
| #region Report Generation | ||
| $mdInfo = "## Outbound traffic routing evidence`n`n" | ||
| $mdInfo += "| Subscription | Network interface | Subnet | Azure firewall private IP | Default route next hop type | Next hop IP address | Result |`n" | ||
|
Collaborator
There was a problem hiding this comment. The specification is asking for
Collaborator
Author
There was a problem hiding this comment. 
I only found these column to be included. |
||
| $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" | ||
|
|
||
| foreach ($item in $nicFindings | Sort-Object SubscriptionName, NicName) { | ||
| $icon = if ($item.IsCompliant) { '✅' } else { '❌' } | ||
|
|
||
| $subName = if ($item.SubscriptionName) { $item.SubscriptionName } else { 'N/A' } | ||
| $subLink = "https://portal.azure.com/#resource/subscriptions/$($item.SubscriptionId)" | ||
| $subMd = "[$(Get-SafeMarkdown -Text $subName)]($subLink)" | ||
|
|
||
| $nicName = if ($item.NicName) { $item.NicName } else { 'N/A' } | ||
| $nicLink = "https://portal.azure.com/#resource$($item.NicId)" | ||
| $nicMd = "[$(Get-SafeMarkdown -Text $nicName)]($nicLink)" | ||
|
|
||
| $subnetName = if ($item.SubnetId) { ($item.SubnetId -split '/')[-1] } else { 'N/A' } | ||
| $subnetLink = "https://portal.azure.com/#resource$($item.SubnetId)" | ||
| $subnetMd = "[$(Get-SafeMarkdown -Text $subnetName)]($subnetLink)" | ||
|
|
||
| $fwIp = if ($item.FirewallPrivateIp) { $item.FirewallPrivateIp } else { 'N/A' } | ||
| $nextHopType = if ($item.NextHopType) { $item.NextHopType } else { 'None' } | ||
| $nextHopIp = if ($item.NextHopIpAddress) { $item.NextHopIpAddress } else { '' } | ||
|
|
||
| $mdInfo += "| $subMd | $nicMd | $subnetMd | $fwIp | $nextHopType | $nextHopIp | $icon |`n" | ||
| } | ||
|
|
||
| $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $mdInfo | ||
| #endregion Report Generation | ||
|
|
||
| Add-ZtTestResultDetail -TestId '25535' -Status $passed -Result $testResultMarkdown | ||
kshitiz-prog marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.