Skip to main content

πŸ“ Azure Subscription Network Watcher is not enabled in every available region 🟒

  • Contextual name: πŸ“ Network Watcher is not enabled in every available region 🟒
  • ID: /ce/ca/azure/subscription/network-watcher-in-every-available-region
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-629108da1

Logic​

Description​

Open File

Description​

Enable Network Watcher for physical regions in Azure subscriptions.

Rationale​

Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Impact​

There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.

Audit​

This policy marks an Azure Subscription as INCOMPLIANT if the number of Available Locations is not equal to the total number of enabled Azure Network Watchers in that subscription.

Default Value​

Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.

References​

  1. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
  2. https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest

... see more

Remediation​

Open File

Remediation​

Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support. To manually enable Network Watcher in each region where you want to use Network Watcher capabilities, follow the steps below.

From Azure Portal​

  1. Go to Network Watcher.
  2. Click Create.
  3. Select a Region from the drop-down menu.
  4. Click Add.

From Azure CLI​

az network watcher configure --locations <region> --enabled true --resource-group <resource_group>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.6 Ensure that Network Watcher is 'Enabled' - Level 2 (Automated)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 8.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23675
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)160
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks44
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.27 Secure system architecture and engineering principles14
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326885
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910