Skip to main content

πŸ“ Azure Subscription Network Watcher is not enabled in every available region 🟒

  • Contextual name: πŸ“ Network Watcher is not enabled in every available region 🟒
  • ID: /ce/ca/azure/subscription/network-watcher-in-every-available-region
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-629108da1

Logic​

Description​

Open File

Description​

Enable Network Watcher for physical regions in Azure subscriptions.

Rationale​

Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Impact​

There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.

Audit​

From Azure Portal​
  1. Use the Search bar to search for and click on the Network Watcher service.
  2. From the Overview menu item, review each Network Watcher listed, and ensure that a network watcher is listed for each region in use by the subscription.
From Azure CLI​
az network watcher list --query "[].{Location:location,State:provisioningState}" -o table

This will list all network watchers and their provisioning state.

Ensure provisioningState is Succeeded for each network watcher.

az account list-locations --query "[?metadata.regionType=='Physical'].{Name:name,DisplayName:regionalDisplayName}" -o table

This will list all physical regions that exist in the subscription.

... see more

Remediation​

Open File

Remediation​

Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support. To manually enable Network Watcher in each region where you want to use Network Watcher capabilities, follow the steps below.

From Azure Portal​

  1. Go to Network Watcher.
  2. Click Create.
  3. Select a Region from the drop-down menu.
  4. Click Add.

From Azure CLI​

az network watcher configure --locations <region> --enabled true --resource-group <resource_group>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.6 Ensure that Network Watcher is 'Enabled' - Level 2 (Automated)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks55
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.27 Secure system architecture and engineering principles11
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326173
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2527
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information78