feat(new): Added Azure.VNET.PrivateSubnet (Azure#2999)

BenjaminEngeset · BernieWhite · web-flow · commit 6fa18b6646e3 · 2024-08-07T10:06:57.000+10:00
* feat(new): Added Azure.VNET.PrivateSubnet

* feat(new): Added Azure.VNET.PrivateSubnet

* feat: Referenced more aligned issue

* Update docs/en/rules/Azure.VNET.PrivateSubnet.md

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;

* Update docs/en/rules/Azure.VNET.PrivateSubnet.md

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;

* Update docs/en/rules/Azure.VNET.PrivateSubnet.md

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;

* Update docs/en/rules/Azure.VNET.PrivateSubnet.md

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;

* Update docs/en/rules/Azure.VNET.PrivateSubnet.md

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;

* feat: Updated logic

* Updated Azure.VNET.PrivateSubnet

* Fixed tests

* Fixed merge conflict and updated tests

* Fix typos

---------

Co-authored-by: Bernie White &lt;bewhite@microsoft.com&gt;
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -128,6 +128,7 @@
     "VMSS",
     "VNET",
     "VNETs",
+    "VWAN",
     "webhook",
     "webhooks",
     "xunit"
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -29,6 +29,11 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+- New rules:
+  - Virtual Network:
+    - Verify that subnets have disabled default outbound access for virtual machines by @BenjaminEngeset.
+      [#3001](https://github.com/Azure/PSRule.Rules.Azure/issues/3001)
+
 What's changed since pre-release v1.39.0-B0009:
 
 - New rules:
diff --git a/docs/en/rules/Azure.VNET.PrivateSubnet.md b/docs/en/rules/Azure.VNET.PrivateSubnet.md
@@ -0,0 +1,144 @@
+---
+severity: Critical
+pillar: Security
+category: SE:06 Network controls
+resource: Virtual Network
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VNET.PrivateSubnet/
+---
+
+# Disable default outbound access
+
+## SYNOPSIS
+
+Disable default outbound access for virtual machines.
+
+## DESCRIPTION
+
+Azure virtual network (VNET) subnets support disabling default outbound Internet access.
+By default, virtual machines (VMs) have outbound connectivity to the Internet.
+Default outbound Internet access also applies to virtual machine scale sets (VMSS) configured with the uniform orchestration mode.
+
+When default outbound is enabled traffic to the Internet is automatically routing via a shared NAT pool.
+The IP address used by the shared NAT pool is used across multiple customers, and is subject to change.
+
+Default outbound access for new VMs and VMSS is scheduled for retirement in September 2025.
+
+Alternatively, outbound access to the Internet can be explicitly configured.
+Explicit outbound access has the following benefits:
+
+- **Security**: Outbound Internet access can be used to transfer data or control out of your organization.
+  Controlling outbound access allows you to make an explicit choice about which workloads require this vs those that don't.
+- **Ownership and stability**: The default outbound access IP is managed by Microsoft and used by multiple customers.
+  As a result, you can't assume use the address for network security rules and the address might change unexpectedly in the future,
+  potentially causing disruptions to any configuration relying on a stable or fixed IP address.
+
+Explicit outbound access can be provided to a specific workload or application by:
+
+- Deploying a NAT gateway into the subnet where the VM or VMSS is deployed.
+- Deploying a Standard load balancer and configuring an outbound SNAT rule.
+
+A public IP address can also be attached to a specific VM instance to provide explicit outbound access.
+However, attaching a public IP address to a VM also allows inbound access from the Internet which further compromises the security of the VM.
+
+To provide outbound access to multiple workloads or applications a VWAN or hub and spoke network topology can be deployed.
+See the Azure Cloud Adoption Framework (CAF) for guidance and a reference architecture for deploying network connectivity in Azure.
+
+Note that there are limitations to this feature, so please refer to the documentation for detailed information.
+
+## RECOMMENDATION
+
+Consider using an explicit method of public connectivity for virtual machines.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To configure virtual networks that pass this rule:
+
+- For each subnet in defined the `properties.subnets` property:
+  - Set the `properties.defaultOutboundAccess` property to `false`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Network/virtualNetworks",
+  "apiVersion": "2023-11-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "addressSpace": {
+      "addressPrefixes": [
+        "10.0.0.0/16"
+      ]
+    },
+    "subnets": [
+      {
+        "name": "subnet-A",
+        "properties": {
+          "addressPrefix": "10.0.0.0/27",
+          "defaultOutboundAccess": false
+        }
+      },
+      {
+        "name": "subnet-B",
+        "properties": {
+          "addressPrefix": "10.0.0.32/27",
+          "defaultOutboundAccess": false
+        }
+      }
+    ]
+  }
+}
+```
+
+### Configure with Bicep
+
+To configure virtual networks that pass this rule:
+
+- For each subnet in defined the `properties.subnets` property:
+  - Set the `properties.defaultOutboundAccess` property to `false`.
+
+For example:
+
+```bicep
+resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
+  name: name
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+    subnets: [
+      {
+        name: 'subnet-A'
+        properties: {
+          addressPrefix: '10.0.0.0/27'
+          defaultOutboundAccess: false
+        }
+      }
+      {
+        name: 'subnet-B'
+        properties: {
+          addressPrefix: '10.0.0.32/27'
+          defaultOutboundAccess: false
+        }
+      }
+    ]
+  }
+}
+```
+
+## NOTES
+
+This feature is currently in preview.
+
+## LINKS
+
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Default outbound access](https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access)
+- [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity)
+- [Azure deployment reference - Virtual Network](https://learn.microsoft.com/azure/templates/microsoft.network/virtualnetworks)
+- [Azure deployment reference - Subnet](https://learn.microsoft.com/azure/templates/microsoft.network/virtualnetworks/subnets)
diff --git a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1
@@ -117,4 +117,5 @@
     ASEAvailabilityZoneVersion = "The app service environment ({0}) is not deployed with a version that supports zone-redundancy."
     AppServiceAvailabilityZoneSKU = "The app service plan ({0}) is not deployed with a SKU that supports zone-redundancy."
     FirewallSubnetNAT = "The firewall should have a NAT gateway associated."
-}
+    PrivateSubnet = "The subnet ({0}) should disable default outbound access."
+}
diff --git a/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1
@@ -15,7 +15,7 @@ Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetw
     if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') {
         # Get subnets
         $subnet = @($TargetObject.properties.subnets | Where-Object {
-            [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.Name) -notin $excludedSubnets -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.Name) -notin $customExcludedSubnets -and @($_.properties.delegations | Where-Object { $_.properties.serviceName -eq 'Microsoft.HardwareSecurityModules/dedicatedHSMs' }).Length -eq 0
+                [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.Name) -notin $excludedSubnets -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.Name) -notin $customExcludedSubnets -and @($_.properties.delegations | Where-Object { $_.properties.serviceName -eq 'Microsoft.HardwareSecurityModules/dedicatedHSMs' }).Length -eq 0
             });
         if ($subnet.Length -eq 0 -or !$Assert.HasFieldValue($TargetObject, 'properties.subnets').Result) {
             return $Assert.Pass();
@@ -140,6 +140,29 @@ Rule 'Azure.VNET.FirewallSubnetNAT' -Ref 'AZR-000448' -Level 'Warning' -Type 'Mi
     }
 }
 
+# Synopsis: Disable default outbound access for virtual machines.
+Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'preview'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } {
+    $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'AzureBastionSubnet')
+    if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') {
+        $subnets = @(
+            $TargetObject.properties.subnets | Where-Object { $null -ne $_ -and -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets }
+            GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | Where-Object { $null -ne $_ -and -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets }
+        )
+    }
+
+    else {
+        $subnets = @($TargetObject | Where-Object { -not $_.properties.delegations -and [PSRule.Rules.Azure.Runtime.Helper]::GetSubResourceName($_.name) -notin $excludedSubnets } )
+    }
+
+    if ($subnets.Count -eq 0) {
+        return $Assert.Pass()
+    }
+
+    foreach ($subnet in $subnets) {
+        $Assert.HasFieldValue($subnet, 'properties.defaultOutboundAccess', $false).Reason($LocalizedData.PrivateSubnet, $subnet.name)
+    }
+}
+
 #endregion Virtual Network
 
 #region Helper functions
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.VNET.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.VNET.Tests.ps1
@@ -77,8 +77,8 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 6;
-            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-E', 'vnet-F', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-J/AzureFirewallSubnet';
+            $ruleResult.Length | Should -Be 9;
+            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-E', 'vnet-F', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/subnet-A', 'vnet-H/subnet-B', 'vnet-H/subnet-C';
         }
 
         It 'Azure.VNET.SingleDNS' {
@@ -159,8 +159,8 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 11;
-            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-B', 'vnet-C', 'vnet-D', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/AzureFirewallSubnet', 'vnet-H/excludedSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-J/AzureFirewallSubnet';
+            $ruleResult.Length | Should -Be 14;
+            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-B', 'vnet-C', 'vnet-D', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-H/excludedSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/subnet-A', 'vnet-H/subnet-B', 'vnet-H/subnet-C';
         }
 
         It 'Azure.VNET.BastionSubnet' {
@@ -224,6 +224,43 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -BeNullOrEmpty;
         }
+
+        It 'Azure.VNET.PrivateSubnet' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VNET.PrivateSubnet' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 7;
+            $ruleResult.TargetName | Should -Be 'vnet-A', 'vnet-B', 'vnet-C', 'vnet-G', 'vnet-H/excludedSubnet', 'vnet-H/subnet-A', 'vnet-H/subnet-B';
+
+            $ruleResult[0].Reason | Should -BeExactly @(
+                "The subnet (subnet-A) should disable default outbound access."
+                "The subnet (subnet-B) should disable default outbound access."
+                "The subnet (subnet-C) should disable default outbound access."
+                "The subnet (subnet-D) should disable default outbound access."
+            );
+            $ruleResult[1].Reason | Should -BeExactly @(
+                "The subnet (subnet-A) should disable default outbound access."
+                "The subnet (subnet-B) should disable default outbound access."
+                "The subnet (subnet-C) should disable default outbound access."
+                "The subnet (subnet-D) should disable default outbound access."
+            );
+            $ruleResult[2].Reason | Should -BeExactly @(
+                "The subnet (subnet-A) should disable default outbound access."
+                "The subnet (subnet-B) should disable default outbound access."
+                "The subnet (subnet-C) should disable default outbound access."
+                "The subnet (subnet-D) should disable default outbound access."
+            );
+            $ruleResult[3].Reason | Should -BeExactly "The subnet (subnet-ZZ) should disable default outbound access.";
+            $ruleResult[4].Reason | Should -BeExactly "The subnet (vnet-H/excludedSubnet) should disable default outbound access.";
+            $ruleResult[5].Reason | Should -BeExactly "The subnet (vnet-H/subnet-A) should disable default outbound access.";
+            $ruleResult[6].Reason | Should -BeExactly "The subnet (vnet-H/subnet-B) should disable default outbound access.";
+  
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 7;
+            $ruleResult.TargetName | Should -BeIn 'vnet-D', 'vnet-E', 'vnet-F', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/subnet-C';
+        }
     }
 
     Context 'Resource name - Azure.VNET.Name' {
@@ -400,9 +437,9 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
                 Module        = 'PSRule.Rules.Azure'
                 WarningAction = 'Ignore'
                 ErrorAction   = 'Stop'
-                Option = @{
-                    'Configuration.AZURE_VNET_DNS_WITH_IDENTITY' = $True
-                    'Configuration.AZURE_FIREWALL_IS_ZONAL' = $True
+                Option        = @{
+                    'Configuration.AZURE_VNET_DNS_WITH_IDENTITY'        = $True
+                    'Configuration.AZURE_FIREWALL_IS_ZONAL'             = $True
                     'Configuration.AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG' = @('subnet-ZZ', 'excludedSubnet') 
                 }
             }
@@ -421,6 +458,27 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -BeNullOrEmpty;
         }
+        
+        It 'Azure.VNET.FirewallSubnetNAT' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VNET.FirewallSubnetNAT' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -Be 'vnet-A', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet';
+
+            $ruleResult[0].Reason | Should -BeExactly @(
+                "The firewall should have a NAT gateway associated."
+                "The firewall should have a NAT gateway associated."
+            );
+            $ruleResult[1].Reason | Should -BeExactly "The firewall should have a NAT gateway associated.";
+            $ruleResult[2].Reason | Should -BeExactly "The firewall should have a NAT gateway associated.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 11;
+            $ruleResult.TargetName | Should -BeIn 'vnet-B', 'vnet-C', 'vnet-D', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/excludedSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/subnet-A', 'vnet-H/subnet-B', 'vnet-H/subnet-C';
+        }
 
         It 'Azure.VNET.UseNSGs' {
             $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VNET.UseNSGs' };
@@ -457,29 +515,8 @@ Describe 'Azure.VNET' -Tag 'Network', 'VNET' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 8;
-            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/excludedSubnet';
-        }
-        
-        It 'Azure.VNET.FirewallSubnetNAT' {
-            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VNET.FirewallSubnetNAT' };
-
-            # Fail
-            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
-            $ruleResult.Length | Should -Be 3;
-            $ruleResult.TargetName | Should -Be 'vnet-A', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet';
-
-            $ruleResult[0].Reason | Should -BeExactly @(
-                "The firewall should have a NAT gateway associated."
-                "The firewall should have a NAT gateway associated."
-            );
-            $ruleResult[1].Reason | Should -BeExactly "The firewall should have a NAT gateway associated.";
-            $ruleResult[2].Reason | Should -BeExactly "The firewall should have a NAT gateway associated.";
-
-            # Pass
-            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
-            $ruleResult.Length | Should -Be 8;
-            $ruleResult.TargetName | Should -BeIn 'vnet-B', 'vnet-C', 'vnet-D', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/excludedSubnet', 'vnet-J/AzureFirewallSubnet';
+            $ruleResult.Length | Should -Be 11;
+            $ruleResult.TargetName | Should -BeIn 'vnet-A', 'vnet-E', 'vnet-F', 'vnet-G', 'vnet-H/AzureFirewallSubnet', 'vnet-I/AzureFirewallSubnet', 'vnet-H/excludedSubnet', 'vnet-J/AzureFirewallSubnet', 'vnet-H/subnet-A', 'vnet-H/subnet-B', 'vnet-H/subnet-C';
         }
     }
 }
diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json b/tests/PSRule.Rules.Azure.Tests/Resources.VirtualNetwork.json
