Skip to main content

🛡️ Azure Subscription Network Watcher is not enabled in every available region🟢

  • Contextual name: 🛡️ Network Watcher is not enabled in every available region🟢
  • ID: /ce/ca/azure/subscription/network-watcher-in-every-available-region
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-629108da1

Description

Open File

Description

Enable Network Watcher for physical regions in Azure subscriptions.

Rationale

Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Impact

There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.

Audit

This policy marks an Azure Subscription as INCOMPLIANT if the number of Available Locations is not equal to the total number of enabled Azure Network Watchers in that subscription.

Default Value

Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.

References

  1. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
  2. https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest

... see more

Remediation

Open File

Remediation

Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support. To manually enable Network Watcher in each region where you want to use Network Watcher capabilities, follow the steps below.

From Azure Portal

  1. Go to Network Watcher.
  2. Click Create.
  3. Select a Region from the drop-down menu.
  4. Click Add.

From Azure CLI

az network watcher configure --locations <region> --enabled true --resource-group <resource_group>

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44no data
💼 CIS Azure v2.1.0 → 💼 6.6 Ensure that Network Watcher is 'Enabled' - Level 2 (Automated)1no data
💼 CIS Azure v3.0.0 → 💼 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 8.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use (Automated)1no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration65no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)23681no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)166no data
💼 ISO/IEC 27001:2022 → 💼 8.22 Segregation of networks44no data
💼 ISO/IEC 27001:2022 → 💼 8.27 Secure system architecture and engineering principles14no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained69no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement326891no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910no data