More Info:

Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Enable Virtual Machine IP Forwarding Monitoring” in Azure using Azure console, please follow the below steps:
  1. Login to Azure Portal (https://portal.azure.com/).
  2. Select the Virtual Machine for which you want to enable IP forwarding monitoring.
  3. Click on the “Networking” option from the left-hand side menu.
  4. Under “Networking”, click on “Network Interfaces”.
  5. Select the Network Interface associated with the Virtual Machine.
  6. Under “Settings”, click on “Network Security Group”.
  7. Click on “Inbound security rules” and then click on the “Add” button.
  8. In the “Add inbound security rule” page, provide the below details:
    • Name: Enter a name for the rule.
    • Priority: Enter a priority number for the rule.
    • Source: Select “Any” or specify the source IP address range.
    • Destination: Select “Any” or specify the destination IP address range.
    • Protocol: Select “Any” or specify the protocol type.
    • Action: Select “Allow” or “Deny”.
    • Enable logging: Select “On” to enable logging.
  9. Click on the “Add” button to create the rule.
  10. Repeat steps 7-9 to create an outbound security rule with the same details.
  11. Once the rules are created, IP forwarding monitoring will be enabled for the Virtual Machine.
Note: Enabling IP forwarding monitoring allows the Virtual Machine to forward traffic from one network interface to another.

To enable Virtual Machine IP Forwarding Monitoring in AZURE using AZURE CLI, you can follow these steps:
  1. Open the AZURE CLI on your local machine or use the AZURE CLI Cloud Shell.
  2. Login to your AZURE account using the command: az login
  3. Once you are logged in, select the subscription in which the virtual machine is present using the command: az account set --subscription <subscription_id>
  4. Next, enable IP forwarding on the virtual machine using the following command: az vm update --name <vm_name> --resource-group <resource_group_name> --set networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].publicIpAddress.id=<public_ip_id> --ip-forwarding true
  5. Finally, enable monitoring for IP forwarding on the virtual machine using the following command: az monitor diagnostic-settings create --resource <vm_name> --resource-group <resource_group_name> --name <diagnostic_setting_name> --logs '[{"category": "IPForwarding","enabled": true}]'
Note: Replace <vm_name>, <resource_group_name>, <public_ip_id>, and <diagnostic_setting_name> with the appropriate values for your virtual machine.
To enable Virtual Machine IP Forwarding Monitoring in Azure using Python, you can follow these steps:
  1. Import the necessary libraries:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import DiagnosticSettingsResource, LogSettings, \
    MetricSettings, DiagnosticSettingsCategoryResource, RetentionPolicy
  1. Authenticate and create a compute and monitor management client:
# Define the credentials and subscription ID
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)

subscription_id = '<subscription_id>'

# Create the compute and monitor management client
compute_client = ComputeManagementClient(credentials, subscription_id)
monitor_client = MonitorManagementClient(credentials, subscription_id)
  1. Get the virtual machine resource ID:
# Define the resource group and virtual machine name
resource_group_name = '<resource_group_name>'
vm_name = '<vm_name>'

# Get the virtual machine resource ID
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
vm_id = vm.id
  1. Create a diagnostic settings resource:
# Define the diagnostic settings resource name
diag_settings_name = '<diag_settings_name>'

# Define the log settings
log_settings = LogSettings(enabled=True, retention_policy=RetentionPolicy(enabled=False))

# Define the metric settings
metric_settings = MetricSettings(enabled=True, retention_policy=RetentionPolicy(enabled=False))

# Define the diagnostic settings categories
categories = [
    DiagnosticSettingsCategoryResource(category_id='NetworkSecurityGroupFlowLogs', enabled=True),
    DiagnosticSettingsCategoryResource(category_id='NetworkSecurityGroupEventLogs', enabled=True),
    DiagnosticSettingsCategoryResource(category_id='AllMetrics', enabled=True)
]

# Create the diagnostic settings resource
diag_settings = DiagnosticSettingsResource(
    storage_account_id=None,
    workspace_id=None,
    event_hub_authorization_rule_id=None,
    event_hub_name=None,
    log_analytics_destination_type=None,
    metrics=metric_settings,
    logs=log_settings,
    workspace_resource_id=None,
    storage_account_subscription_id=None,
    event_hub_resource_id=None,
    workspace_resource_id_for_log_analytics=None,
    categories=categories
)
  1. Enable IP forwarding monitoring:
# Add the IPForwarding property to the NetworkSecurityGroupFlowLogs category
for category in diag_settings.categories:
    if category.category_id == 'NetworkSecurityGroupFlowLogs':
        category.properties = {'IPForwarding': 'true'}

# Create or update the diagnostic settings resource
monitor_client.diagnostic_settings.create_or_update(
    resource_uri=vm_id,
    name=diag_settings_name,
    parameters=diag_settings
)
This code will enable IP forwarding monitoring for the virtual machine in Azure.