Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: add Azure Virtual Network Gateway scanner #207

Closed
wants to merge 13 commits into from
Closed

feature: add Azure Virtual Network Gateway scanner #207

wants to merge 13 commits into from

Conversation

vanwinkelseppe
Copy link
Contributor

@vanwinkelseppe vanwinkelseppe commented Apr 23, 2024
edited by cmendible
Loading

Description

Add a scanner for Azure Virtual Network Gateway

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #206

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

  • Code compiles correctly
  • Created/updated tests
  • Run linter
  • Unit tests passing

@vanwinkelseppe
Copy link
Contributor Author

@cmendible
I'm not 100% familiar with the Go SDK for Azure, but do you have an idea where we find the Azure VPN Gateway SKU & Generation in the properties? I wasn't able to locate them.

You have any requests for other scan rules?

Thanks!

cmendible
cmendible requested changes Apr 23, 2024
View reviewed changes
internal/scanners/vpng/rules.go Outdated Show resolved Hide resolved
@cmendible
Copy link
Member

@vanwinkelseppe I'm about to merge: #214 so please check if the new SDK for networking helps you with the SLA rule we are reviewing

@vanwinkelseppe
Copy link
Contributor Author

@cmendible will do thanks!

@vanwinkelseppe vanwinkelseppe force-pushed the features/vpngw branch 2 times, most recently from 4f272ce to 809454c Compare April 23, 2024 20:03
@vanwinkelseppe
Copy link
Contributor Author

@cmendible Still no SKU on the VPNGateway, bypassed it by querying for the VirtualNetworkGateway.

Ready for review, have to do the list of rules, but with all the merges I'll do it when it looks ready to go!

cmendible
cmendible requested changes Apr 25, 2024
View reviewed changes
internal/scanners/vpng/rules.go Outdated Show resolved Hide resolved
docs/content/en/docs/Recommendations/_index.md Outdated Show resolved Hide resolved
cmendible
cmendible requested changes Apr 25, 2024
View reviewed changes
Copy link
Member

@cmendible cmendible left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey! Check the following branch: https://github.com/Azure/azqr/tree/vpn I made some changes so we only query for Virtual Network Gateway objects and take decisions based on the type.

If you are ok with it merge it into your PR and if possible add an Availability Zone rule based on the service tier.

@vanwinkelseppe
Copy link
Contributor Author

Hey! Check the following branch: https://github.com/Azure/azqr/tree/vpn I made some changes so we only query for Virtual Network Gateway objects and take decisions based on the type.

If you are ok with it merge it into your PR and if possible add an Availability Zone rule based on the service tier.

Will do tonight or tomorrow! Thanks for the refactor!

@cmendible cmendible changed the title feature: add Azure VPN Gateway scanner feature: add Azure Virtual Network Gateway scanner Apr 25, 2024
@vanwinkelseppe vanwinkelseppe force-pushed the features/vpngw branch 2 times, most recently from 8c28ce4 to 8956bdf Compare April 25, 2024 19:33
@vanwinkelseppe
Copy link
Contributor Author

@cmendible, uncertain for the availability zones.
I've checked the properties on virtualnetworkgateway, but couldn't find anything related to it except ExtendedLocation. But uncertain what this actually means. I've queried some resources on my environment via api to see, but it seems to be never filled in.

I did make a list of which gateway skus can enable them:
Express:

  • ErGw1AZ
  • ErGw2AZ
  • ErGw3AZ

VPN

  • Gen 1 - VpnGw1AZ
  • Gen 1 - VpnGw2AZ
  • Gen 1 - VpnGw3AZ
  • Gen 2 - VpnGw2AZ
  • Gen 2 - VpnGw3AZ
  • Gen 2 - VpnGw4AZ
  • Gen 2 - VpnGw5AZ

cmendible
cmendible approved these changes May 3, 2024
View reviewed changes
Copy link
Member

@cmendible cmendible left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cmendible
cmendible requested changes May 3, 2024
View reviewed changes
internal/scan.go Outdated Show resolved Hide resolved
cmendible
cmendible previously approved these changes May 8, 2024
View reviewed changes
@cmendible
Copy link
Member

@cmendible, uncertain for the availability zones. I've checked the properties on virtualnetworkgateway, but couldn't find anything related to it except ExtendedLocation. But uncertain what this actually means. I've queried some resources on my environment via api to see, but it seems to be never filled in.

I did make a list of which gateway skus can enable them: Express:

  • ErGw1AZ
  • ErGw2AZ
  • ErGw3AZ

VPN

  • Gen 1 - VpnGw1AZ
  • Gen 1 - VpnGw2AZ
  • Gen 1 - VpnGw3AZ
  • Gen 2 - VpnGw2AZ
  • Gen 2 - VpnGw3AZ
  • Gen 2 - VpnGw4AZ
  • Gen 2 - VpnGw5AZ

@vanwinkelseppe let's use the SKU, and if SKU (to lower) contains az then the Gateway is compliant.

@cmendible
Copy link
Member

Closed in favor of: #237

@cmendible cmendible closed this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmendible cmendible cmendible left review comments

Assignees

@vanwinkelseppe vanwinkelseppe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create Azure Virtual Network Gateway scanner
2 participants
@vanwinkelseppe @cmendible