Microsoft.Network.networkSecurityGroups.delete

​

Event Information

1. The Microsoft.Network.networkSecurityGroups.delete event in Azure for AzureNetwork indicates that a network security group (NSG) has been deleted within the specified Azure network.

2. This event signifies that the NSG rules and configurations associated with the deleted NSG will no longer be enforced, potentially impacting the network traffic and security within the Azure network.

3. It is important to review the reason for the deletion and ensure that it was intentional, as accidental deletion of an NSG can lead to unintended network vulnerabilities. Additionally, any dependencies or references to the deleted NSG should be updated to avoid any disruptions in network connectivity or security policies.

​

Examples

1. Unauthorized deletion: If security is impacted with Microsoft.Network.networkSecurityGroups.delete in Azure for AzureNetwork, it could potentially lead to unauthorized deletion of network security groups. This can result in the removal of important security rules and configurations, leaving the network vulnerable to potential attacks.

2. Access control misconfiguration: Deleting network security groups without proper authorization can also lead to access control misconfiguration. This means that certain resources or services may become accessible to unauthorized users or entities, compromising the overall security of the AzureNetwork.

3. Compliance violations: Deleting network security groups without following proper security protocols can result in compliance violations. Organizations that need to adhere to specific compliance standards, such as PCI DSS or HIPAA, may face penalties or loss of certification if security measures are not properly maintained.

​

Remediation

​

Using Console

To remediate the issues mentioned in the previous response for Azure Network using the Azure console, you can follow these step-by-step instructions:

1. Enable Network Security Groups (NSGs):

   • Go to the Azure portal and navigate to the desired virtual network.
   • Select “Network security groups” from the left-hand menu.
   • Click on “Add” to create a new NSG or select an existing NSG.
   • Configure inbound and outbound security rules based on your requirements.
   • Apply the NSG to the desired subnets or network interfaces.

2. Implement Azure DDoS Protection Standard:

   • Go to the Azure portal and navigate to the desired virtual network.
   • Select “Distributed denial of service (DDoS) protection” from the left-hand menu.
   • Click on “Enable DDoS protection” and choose the “Standard” tier.
   • Configure the DDoS protection settings based on your requirements.
   • Apply the DDoS protection to the desired resources within the virtual network.

3. Implement Azure Firewall:

   • Go to the Azure portal and navigate to the desired virtual network.
   • Select “Firewalls and virtual networks” from the left-hand menu.
   • Click on “Add” to create a new Azure Firewall or select an existing one.
   • Configure the firewall rules and network rules based on your requirements.
   • Associate the Azure Firewall with the desired subnets or network interfaces.

Note: The above instructions are general guidelines, and you may need to adapt them based on your specific requirements and Azure environment setup. It is recommended to refer to the official Azure documentation for detailed instructions and best practices.

​

Using CLI

To remediate issues related to Azure Network using Azure CLI, you can use the following commands:

1. Example 1: Enable Network Security Group (NSG) Flow Logs

   • Command: az network watcher flow-log configure
   • Description: This command enables flow logs for a specific NSG, allowing you to capture and analyze network traffic.
   • Parameters: You need to provide the resource group name, NSG name, storage account ID, and storage account key.

2. Example 2: Restrict Network Access using Network Security Groups (NSGs)

   • Command: az network nsg rule create
   • Description: This command creates a new rule in an NSG to restrict network access based on specific criteria.
   • Parameters: You need to provide the resource group name, NSG name, rule name, priority, source/destination IP addresses, ports, and action.

3. Example 3: Enable Azure DDoS Protection Standard

   • Command: az network ddos-protection update
   • Description: This command enables Azure DDoS Protection Standard for a specific virtual network, providing protection against DDoS attacks.
   • Parameters: You need to provide the resource group name and virtual network name.

Note: The provided commands are examples and may require additional parameters based on your specific requirements. Make sure to refer to the official Azure CLI documentation for detailed usage and options.

​

Using Python

To remediate issues related to AzureNetwork using Python, you can use the Azure SDK for Python. Here are three examples of how you can remediate common issues:

1. Example 1: Enable Network Security Group (NSG) Flow Logs

   • Use the azure.mgmt.network package to retrieve the NSG resource.
   • Enable flow logs for the NSG by setting the enable_flow_logs property to True.
   • Update the NSG resource using the network_client.network_security_groups.create_or_update method.

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.network import NetworkManagementClient
   
   # Authenticate using default credentials
   credential = DefaultAzureCredential()
   network_client = NetworkManagementClient(credential, subscription_id)
   
   # Retrieve the NSG resource
   nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)
   
   # Enable flow logs for the NSG
   nsg.enable_flow_logs = True
   
   # Update the NSG resource
   network_client.network_security_groups.create_or_update(resource_group_name, nsg_name, nsg)
   

2. Example 2: Add a Network Security Rule to an NSG

   • Use the azure.mgmt.network package to retrieve the NSG resource.
   • Add a new security rule to the NSG by appending it to the security_rules list.
   • Update the NSG resource using the network_client.network_security_groups.create_or_update method.

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.network import NetworkManagementClient
   
   # Authenticate using default credentials
   credential = DefaultAzureCredential()
   network_client = NetworkManagementClient(credential, subscription_id)
   
   # Retrieve the NSG resource
   nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)
   
   # Add a new security rule to the NSG
   nsg.security_rules.append({
       'name': 'Allow-SSH',
       'protocol': 'Tcp',
       'source_port_range': '*',
       'destination_port_range': '22',
       'source_address_prefix': '*',
       'destination_address_prefix': '*',
       'access': 'Allow',
       'priority': 100,
       'direction': 'Inbound'
   })
   
   # Update the NSG resource
   network_client.network_security_groups.create_or_update(resource_group_name, nsg_name, nsg)
   

3. Example 3: Update Virtual Network Subnet

   • Use the azure.mgmt.network package to retrieve the virtual network resource.
   • Update the subnet properties, such as the address prefix, by modifying the subnets list.
   • Update the virtual network resource using the network_client.virtual_networks.create_or_update method.

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.network import NetworkManagementClient
   
   # Authenticate using default credentials
   credential = DefaultAzureCredential()
   network_client = NetworkManagementClient(credential, subscription_id)
   
   # Retrieve the virtual network resource
   vnet = network_client.virtual_networks.get(resource_group_name, vnet_name)
   
   # Update the subnet properties
   for subnet in vnet.subnets:
       if subnet.name == subnet_name:
           subnet.address_prefix = '10.0.0.0/24'
   
   # Update the virtual network resource
   network_client.virtual_networks.create_or_update(resource_group_name, vnet_name, vnet)