More Info:
Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CISAZURE, CBP, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Enable Virtual Machine IP Forwarding Monitoring” in Azure using Azure console, please follow the below steps:
- Login to Azure Portal (https://portal.azure.com/).
- Select the Virtual Machine for which you want to enable IP forwarding monitoring.
- Click on the “Networking” option from the left-hand side menu.
- Under “Networking”, click on “Network Interfaces”.
- Select the Network Interface associated with the Virtual Machine.
- Under “Settings”, click on “Network Security Group”.
- Click on “Inbound security rules” and then click on the “Add” button.
- In the “Add inbound security rule” page, provide the below details:
- Name: Enter a name for the rule.
- Priority: Enter a priority number for the rule.
- Source: Select “Any” or specify the source IP address range.
- Destination: Select “Any” or specify the destination IP address range.
- Protocol: Select “Any” or specify the protocol type.
- Action: Select “Allow” or “Deny”.
- Enable logging: Select “On” to enable logging.
- Click on the “Add” button to create the rule.
- Repeat steps 7-9 to create an outbound security rule with the same details.
- Once the rules are created, IP forwarding monitoring will be enabled for the Virtual Machine.
Using CLI
Using CLI
To enable Virtual Machine IP Forwarding Monitoring in AZURE using AZURE CLI, you can follow these steps:
- Open the AZURE CLI on your local machine or use the AZURE CLI Cloud Shell.
- Login to your AZURE account using the command:
az login
- Once you are logged in, select the subscription in which the virtual machine is present using the command:
az account set --subscription <subscription_id>
- Next, enable IP forwarding on the virtual machine using the following command:
az vm update --name <vm_name> --resource-group <resource_group_name> --set networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].publicIpAddress.id=<public_ip_id> --ip-forwarding true
- Finally, enable monitoring for IP forwarding on the virtual machine using the following command:
az monitor diagnostic-settings create --resource <vm_name> --resource-group <resource_group_name> --name <diagnostic_setting_name> --logs '[{"category": "IPForwarding","enabled": true}]'
<vm_name>
, <resource_group_name>
, <public_ip_id>
, and <diagnostic_setting_name>
with the appropriate values for your virtual machine.Using Python
Using Python
To enable Virtual Machine IP Forwarding Monitoring in Azure using Python, you can follow these steps:This code will enable IP forwarding monitoring for the virtual machine in Azure.
- Import the necessary libraries:
- Authenticate and create a compute and monitor management client:
- Get the virtual machine resource ID:
- Create a diagnostic settings resource:
- Enable IP forwarding monitoring: