0
# Network Security
1
2
Network security management capabilities for Azure Security Center, providing adaptive network hardening, just-in-time VM access policies, network topology analysis, and connection monitoring to secure network infrastructure.
3
4
## Capabilities
5
6
### Adaptive Network Hardenings
7
8
Manage adaptive network hardening recommendations and enforce network security best practices.
9
10
```python { .api }
11
def list(
12
**kwargs: Any
13
) -> Iterator[AdaptiveNetworkHardening]:
14
"""
15
List adaptive network hardenings for the subscription.
16
17
Returns:
18
Iterator[AdaptiveNetworkHardening]: Iterator of adaptive network hardening objects
19
"""
20
21
def list_by_extended_resource(
22
resource_group_name: str,
23
resource_namespace: str,
24
resource_type: str,
25
resource_name: str,
26
**kwargs: Any
27
) -> Iterator[AdaptiveNetworkHardening]:
28
"""
29
List adaptive network hardenings for an extended resource.
30
31
Parameters:
32
- resource_group_name (str): Name of the resource group
33
- resource_namespace (str): Resource provider namespace
34
- resource_type (str): Resource type
35
- resource_name (str): Name of the resource
36
37
Returns:
38
Iterator[AdaptiveNetworkHardening]: Iterator of adaptive network hardening objects
39
"""
40
41
def get(
42
resource_group_name: str,
43
resource_namespace: str,
44
resource_type: str,
45
resource_name: str,
46
adaptive_network_hardening_resource_name: str,
47
**kwargs: Any
48
) -> AdaptiveNetworkHardening:
49
"""
50
Get details of a specific adaptive network hardening.
51
52
Parameters:
53
- resource_group_name (str): Name of the resource group
54
- resource_namespace (str): Resource provider namespace
55
- resource_type (str): Resource type
56
- resource_name (str): Name of the resource
57
- adaptive_network_hardening_resource_name (str): Name of the hardening resource
58
59
Returns:
60
AdaptiveNetworkHardening: Adaptive network hardening details
61
"""
62
63
def enforce(
64
resource_group_name: str,
65
resource_namespace: str,
66
resource_type: str,
67
resource_name: str,
68
adaptive_network_hardening_resource_name: str,
69
body: AdaptiveNetworkHardeningEnforceRequest,
70
**kwargs: Any
71
) -> AdaptiveNetworkHardening:
72
"""
73
Enforce adaptive network hardening recommendations.
74
75
Parameters:
76
- resource_group_name (str): Name of the resource group
77
- resource_namespace (str): Resource provider namespace
78
- resource_type (str): Resource type
79
- resource_name (str): Name of the resource
80
- adaptive_network_hardening_resource_name (str): Name of the hardening resource
81
- body (AdaptiveNetworkHardeningEnforceRequest): Enforcement request data
82
83
Returns:
84
AdaptiveNetworkHardening: Updated adaptive network hardening
85
"""
86
```
87
88
### Allowed Connections
89
90
Monitor and analyze allowed network connections between resources.
91
92
```python { .api }
93
def list(
94
**kwargs: Any
95
) -> Iterator[AllowedConnectionsResource]:
96
"""
97
List allowed connections for the subscription.
98
99
Returns:
100
Iterator[AllowedConnectionsResource]: Iterator of allowed connection objects
101
"""
102
103
def list_by_home_region(
104
asc_location: str,
105
**kwargs: Any
106
) -> Iterator[AllowedConnectionsResource]:
107
"""
108
List allowed connections in the subscription's home region.
109
110
Parameters:
111
- asc_location (str): Azure Security Center location
112
113
Returns:
114
Iterator[AllowedConnectionsResource]: Iterator of allowed connection objects
115
"""
116
117
def get(
118
resource_group_name: str,
119
asc_location: str,
120
connection_type: str,
121
**kwargs: Any
122
) -> AllowedConnectionsResource:
123
"""
124
Get details of specific allowed connections.
125
126
Parameters:
127
- resource_group_name (str): Name of the resource group
128
- asc_location (str): Azure Security Center location
129
- connection_type (str): Type of connection (Internal, External)
130
131
Returns:
132
AllowedConnectionsResource: Allowed connection details
133
"""
134
```
135
136
### Just-in-Time Network Access Policies
137
138
Manage just-in-time (JIT) VM access policies for secure, time-limited VM access.
139
140
```python { .api }
141
def list(
142
**kwargs: Any
143
) -> Iterator[JitNetworkAccessPolicy]:
144
"""
145
List JIT network access policies for the subscription.
146
147
Returns:
148
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
149
"""
150
151
def list_by_region(
152
asc_location: str,
153
**kwargs: Any
154
) -> Iterator[JitNetworkAccessPolicy]:
155
"""
156
List JIT network access policies in a specific region.
157
158
Parameters:
159
- asc_location (str): Azure Security Center location
160
161
Returns:
162
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
163
"""
164
165
def list_by_resource_group(
166
resource_group_name: str,
167
**kwargs: Any
168
) -> Iterator[JitNetworkAccessPolicy]:
169
"""
170
List JIT network access policies in a resource group.
171
172
Parameters:
173
- resource_group_name (str): Name of the resource group
174
175
Returns:
176
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
177
"""
178
179
def list_by_resource_group_and_region(
180
resource_group_name: str,
181
asc_location: str,
182
**kwargs: Any
183
) -> Iterator[JitNetworkAccessPolicy]:
184
"""
185
List JIT network access policies in a resource group and region.
186
187
Parameters:
188
- resource_group_name (str): Name of the resource group
189
- asc_location (str): Azure Security Center location
190
191
Returns:
192
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
193
"""
194
195
def get(
196
resource_group_name: str,
197
asc_location: str,
198
jit_network_access_policy_name: str,
199
**kwargs: Any
200
) -> JitNetworkAccessPolicy:
201
"""
202
Get details of a specific JIT network access policy.
203
204
Parameters:
205
- resource_group_name (str): Name of the resource group
206
- asc_location (str): Azure Security Center location
207
- jit_network_access_policy_name (str): Name of the JIT policy
208
209
Returns:
210
JitNetworkAccessPolicy: JIT policy details
211
"""
212
213
def create_or_update(
214
resource_group_name: str,
215
asc_location: str,
216
jit_network_access_policy_name: str,
217
body: JitNetworkAccessPolicy,
218
**kwargs: Any
219
) -> JitNetworkAccessPolicy:
220
"""
221
Create or update a JIT network access policy.
222
223
Parameters:
224
- resource_group_name (str): Name of the resource group
225
- asc_location (str): Azure Security Center location
226
- jit_network_access_policy_name (str): Name of the JIT policy
227
- body (JitNetworkAccessPolicy): JIT policy data
228
229
Returns:
230
JitNetworkAccessPolicy: Created or updated JIT policy
231
"""
232
233
def delete(
234
resource_group_name: str,
235
asc_location: str,
236
jit_network_access_policy_name: str,
237
**kwargs: Any
238
) -> None:
239
"""
240
Delete a JIT network access policy.
241
242
Parameters:
243
- resource_group_name (str): Name of the resource group
244
- asc_location (str): Azure Security Center location
245
- jit_network_access_policy_name (str): Name of the JIT policy
246
247
Returns:
248
None
249
"""
250
251
def initiate(
252
resource_group_name: str,
253
asc_location: str,
254
jit_network_access_policy_name: str,
255
body: JitNetworkAccessPolicyInitiateRequest,
256
**kwargs: Any
257
) -> JitNetworkAccessRequest:
258
"""
259
Initiate a JIT network access request.
260
261
Parameters:
262
- resource_group_name (str): Name of the resource group
263
- asc_location (str): Azure Security Center location
264
- jit_network_access_policy_name (str): Name of the JIT policy
265
- body (JitNetworkAccessPolicyInitiateRequest): Access request data
266
267
Returns:
268
JitNetworkAccessRequest: Initiated access request
269
"""
270
```
271
272
### Network Topology
273
274
Analyze and visualize network topology and security posture.
275
276
```python { .api }
277
def list(
278
**kwargs: Any
279
) -> Iterator[TopologyResource]:
280
"""
281
List network topology resources for the subscription.
282
283
Returns:
284
Iterator[TopologyResource]: Iterator of topology resource objects
285
"""
286
287
def list_by_home_region(
288
asc_location: str,
289
**kwargs: Any
290
) -> Iterator[TopologyResource]:
291
"""
292
List network topology resources in the subscription's home region.
293
294
Parameters:
295
- asc_location (str): Azure Security Center location
296
297
Returns:
298
Iterator[TopologyResource]: Iterator of topology resource objects
299
"""
300
301
def get(
302
resource_group_name: str,
303
asc_location: str,
304
topology_resource_name: str,
305
**kwargs: Any
306
) -> TopologyResource:
307
"""
308
Get details of a specific topology resource.
309
310
Parameters:
311
- resource_group_name (str): Name of the resource group
312
- asc_location (str): Azure Security Center location
313
- topology_resource_name (str): Name of the topology resource
314
315
Returns:
316
TopologyResource: Topology resource details
317
"""
318
```
319
320
## Types
321
322
```python { .api }
323
class AdaptiveNetworkHardening:
324
id: Optional[str]
325
name: Optional[str]
326
type: Optional[str]
327
rules: Optional[List[Rule]]
328
rules_calculation_time: Optional[datetime]
329
effective_network_security_groups: Optional[List[EffectiveNetworkSecurityGroups]]
330
331
class AdaptiveNetworkHardeningEnforceRequest:
332
rules: List[Rule]
333
network_security_groups: List[str]
334
335
class AllowedConnectionsResource:
336
id: Optional[str]
337
name: Optional[str]
338
type: Optional[str]
339
location: Optional[str]
340
connectable_resources: Optional[List[ConnectableResource]]
341
342
class JitNetworkAccessPolicy:
343
id: Optional[str]
344
name: Optional[str]
345
type: Optional[str]
346
kind: Optional[str]
347
location: Optional[str]
348
virtual_machines: List[JitNetworkAccessPolicyVirtualMachine]
349
requests: Optional[List[JitNetworkAccessRequest]]
350
provisioning_state: Optional[str]
351
352
class JitNetworkAccessPolicyVirtualMachine:
353
id: str
354
ports: List[JitNetworkAccessPortRule]
355
public_ip_address: Optional[str]
356
357
class JitNetworkAccessPortRule:
358
number: int
359
protocol: str # TCP, UDP, Any
360
allowed_source_address_prefix: Optional[str]
361
allowed_source_address_prefixes: Optional[List[str]]
362
max_request_access_duration: str # ISO 8601 duration format
363
364
class JitNetworkAccessRequest:
365
virtual_machines: List[JitNetworkAccessRequestVirtualMachine]
366
start_time_utc: datetime
367
requestor: str
368
justification: Optional[str]
369
370
class JitNetworkAccessRequestVirtualMachine:
371
id: str
372
ports: List[JitNetworkAccessRequestPort]
373
374
class JitNetworkAccessRequestPort:
375
number: int
376
allowed_source_address_prefix: Optional[str]
377
allowed_source_address_prefixes: Optional[List[str]]
378
end_time_utc: datetime
379
status: str # Revoked, Initiated
380
status_reason: str # Expired, UserRequested, NewerRequestInitiated
381
382
class JitNetworkAccessPolicyInitiateRequest:
383
virtual_machines: List[JitNetworkAccessPolicyInitiateVirtualMachine]
384
justification: Optional[str]
385
386
class JitNetworkAccessPolicyInitiateVirtualMachine:
387
id: str
388
ports: List[JitNetworkAccessPolicyInitiatePort]
389
390
class JitNetworkAccessPolicyInitiatePort:
391
number: int
392
allowed_source_address_prefix: Optional[str]
393
allowed_source_address_prefixes: Optional[List[str]]
394
end_time_utc: datetime
395
396
class TopologyResource:
397
id: Optional[str]
398
name: Optional[str]
399
type: Optional[str]
400
location: Optional[str]
401
calculated_date_time: Optional[datetime]
402
topology_resources: Optional[List[TopologySingleResource]]
403
404
class TopologySingleResource:
405
resource_id: Optional[str]
406
severity: Optional[str]
407
recommendationsExist: Optional[bool]
408
network_zones: Optional[str]
409
topology_score: Optional[int]
410
location: Optional[str]
411
parents: Optional[List[TopologySingleResourceParent]]
412
children: Optional[List[TopologySingleResourceChild]]
413
414
class Rule:
415
name: Optional[str]
416
direction: Optional[str] # Inbound, Outbound
417
destination_port: Optional[int]
418
protocols: Optional[List[str]]
419
source_address_prefix: Optional[str]
420
source_address_prefixes: Optional[List[str]]
421
destination_address_prefix: Optional[str]
422
destination_address_prefixes: Optional[List[str]]
423
424
class EffectiveNetworkSecurityGroups:
425
network_security_groups: Optional[List[str]]
426
network_interface: Optional[str]
427
428
class ConnectableResource:
429
id: Optional[str]
430
inbound_connected_resources: Optional[List[ConnectedResource]]
431
outbound_connected_resources: Optional[List[ConnectedResource]]
432
433
class ConnectedResource:
434
connected_resource_id: Optional[str]
435
tcp_ports: Optional[str]
436
udp_ports: Optional[str]
437
438
class TopologySingleResourceParent:
439
resource_id: Optional[str]
440
441
class TopologySingleResourceChild:
442
resource_id: Optional[str]
443
```
444
445
## Usage Examples
446
447
### Just-in-Time VM Access Management
448
449
```python
450
from azure.identity import DefaultAzureCredential
451
from azure.mgmt.security import SecurityCenter
452
from datetime import datetime, timedelta
453
454
credential = DefaultAzureCredential()
455
client = SecurityCenter(credential, "subscription-id")
456
457
# Create a JIT policy for a VM
458
jit_policy = {
459
"virtual_machines": [{
460
"id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/vm1",
461
"ports": [
462
{
463
"number": 22,
464
"protocol": "TCP",
465
"allowed_source_address_prefix": "10.0.0.0/8",
466
"max_request_access_duration": "PT3H" # 3 hours
467
},
468
{
469
"number": 3389,
470
"protocol": "TCP",
471
"allowed_source_address_prefixes": ["192.168.1.0/24", "172.16.0.0/16"],
472
"max_request_access_duration": "PT2H" # 2 hours
473
}
474
]
475
}]
476
}
477
478
# Create the JIT policy
479
policy = client.jit_network_access_policies.create_or_update(
480
"my-rg",
481
"eastus",
482
"vm1-jit-policy",
483
jit_policy
484
)
485
print(f"Created JIT policy: {policy.name}")
486
487
# Request JIT access
488
access_request = {
489
"virtual_machines": [{
490
"id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/vm1",
491
"ports": [{
492
"number": 22,
493
"allowed_source_address_prefix": "203.0.113.0/32", # Specific IP
494
"end_time_utc": datetime.utcnow() + timedelta(hours=2)
495
}]
496
}],
497
"justification": "Emergency maintenance access required"
498
}
499
500
request = client.jit_network_access_policies.initiate(
501
"my-rg",
502
"eastus",
503
"vm1-jit-policy",
504
access_request
505
)
506
print(f"JIT access requested for: {request.requestor}")
507
508
# List all JIT policies
509
policies = client.jit_network_access_policies.list()
510
for policy in policies:
511
print(f"Policy: {policy.name}")
512
print(f"VMs: {len(policy.virtual_machines)}")
513
514
for vm in policy.virtual_machines:
515
print(f" VM: {vm.id}")
516
print(f" Ports: {[p.number for p in vm.ports]}")
517
518
# Show active requests
519
if policy.requests:
520
for req in policy.requests:
521
print(f" Active Request: {req.requestor}")
522
print(f" Start: {req.start_time_utc}")
523
print(f" Justification: {req.justification}")
524
```
525
526
### Adaptive Network Hardening
527
528
```python
529
# List adaptive network hardenings
530
hardenings = client.adaptive_network_hardenings.list()
531
532
for hardening in hardenings:
533
print(f"Hardening: {hardening.name}")
534
print(f"Calculation Time: {hardening.rules_calculation_time}")
535
print(f"Rules Count: {len(hardening.rules or [])}")
536
537
# Show recommended rules
538
if hardening.rules:
539
print(" Recommended Rules:")
540
for rule in hardening.rules:
541
print(f" {rule.direction} - Port {rule.destination_port}")
542
print(f" Protocol: {rule.protocols}")
543
print(f" Source: {rule.source_address_prefix}")
544
545
# Get specific hardening for a VM
546
vm_hardening = client.adaptive_network_hardenings.get(
547
"my-rg",
548
"Microsoft.Compute",
549
"virtualMachines",
550
"my-vm",
551
"default"
552
)
553
554
print(f"VM Hardening Rules: {len(vm_hardening.rules or [])}")
555
556
# Enforce hardening recommendations
557
if vm_hardening.rules:
558
enforce_request = {
559
"rules": vm_hardening.rules[:5], # Enforce first 5 rules
560
"network_security_groups": [
561
"/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Network/networkSecurityGroups/nsg1"
562
]
563
}
564
565
result = client.adaptive_network_hardenings.enforce(
566
"my-rg",
567
"Microsoft.Compute",
568
"virtualMachines",
569
"my-vm",
570
"default",
571
enforce_request
572
)
573
print(f"Enforced {len(result.rules)} hardening rules")
574
```
575
576
### Network Topology Analysis
577
578
```python
579
# Get network topology
580
topology_resources = client.topology.list()
581
582
for resource in topology_resources:
583
print(f"Topology Resource: {resource.name}")
584
print(f"Location: {resource.location}")
585
print(f"Calculated: {resource.calculated_date_time}")
586
587
if resource.topology_resources:
588
print(f"Network Resources: {len(resource.topology_resources)}")
589
590
for topo_resource in resource.topology_resources:
591
print(f" Resource: {topo_resource.resource_id}")
592
print(f" Severity: {topo_resource.severity}")
593
print(f" Score: {topo_resource.topology_score}")
594
print(f" Has Recommendations: {topo_resource.recommendationsExist}")
595
596
# Show network relationships
597
if topo_resource.parents:
598
print(f" Parents: {len(topo_resource.parents)}")
599
for parent in topo_resource.parents:
600
print(f" - {parent.resource_id}")
601
602
if topo_resource.children:
603
print(f" Children: {len(topo_resource.children)}")
604
for child in topo_resource.children:
605
print(f" - {child.resource_id}")
606
607
# Get topology for specific region
608
region_topology = client.topology.list_by_home_region("eastus")
609
for resource in region_topology:
610
print(f"Regional Topology: {resource.name}")
611
```
612
613
### Allowed Connections Monitoring
614
615
```python
616
# List allowed connections
617
connections = client.allowed_connections.list()
618
619
for connection in connections:
620
print(f"Connection Resource: {connection.name}")
621
print(f"Location: {connection.location}")
622
623
if connection.connectable_resources:
624
print(f"Connectable Resources: {len(connection.connectable_resources)}")
625
626
for connectable in connection.connectable_resources:
627
print(f" Resource: {connectable.id}")
628
629
# Show inbound connections
630
if connectable.inbound_connected_resources:
631
print(f" Inbound Connections: {len(connectable.inbound_connected_resources)}")
632
for inbound in connectable.inbound_connected_resources:
633
print(f" From: {inbound.connected_resource_id}")
634
if inbound.tcp_ports:
635
print(f" TCP Ports: {inbound.tcp_ports}")
636
if inbound.udp_ports:
637
print(f" UDP Ports: {inbound.udp_ports}")
638
639
# Show outbound connections
640
if connectable.outbound_connected_resources:
641
print(f" Outbound Connections: {len(connectable.outbound_connected_resources)}")
642
for outbound in connectable.outbound_connected_resources:
643
print(f" To: {outbound.connected_resource_id}")
644
if outbound.tcp_ports:
645
print(f" TCP Ports: {outbound.tcp_ports}")
646
if outbound.udp_ports:
647
print(f" UDP Ports: {outbound.udp_ports}")
648
649
# Get connections for specific resource group
650
rg_connections = client.allowed_connections.get(
651
"my-rg",
652
"eastus",
653
"Internal"
654
)
655
print(f"Resource Group Internal Connections: {len(rg_connections.connectable_resources or [])}")
656
```
657
658
### Network Security Monitoring Dashboard
659
660
```python
661
def create_network_security_dashboard():
662
"""Create a comprehensive network security status dashboard."""
663
664
print("Network Security Dashboard")
665
print("=" * 50)
666
667
# JIT Policy Status
668
print("\n1. Just-in-Time Access Policies:")
669
jit_policies = client.jit_network_access_policies.list()
670
total_policies = 0
671
active_requests = 0
672
673
for policy in jit_policies:
674
total_policies += 1
675
if policy.requests:
676
active_requests += len([r for r in policy.requests
677
if r.start_time_utc and
678
any(p.status == "Initiated" for vm in r.virtual_machines for p in vm.ports)])
679
680
print(f" Total Policies: {total_policies}")
681
print(f" Active Requests: {active_requests}")
682
683
# Network Hardening Status
684
print("\n2. Adaptive Network Hardening:")
685
hardenings = client.adaptive_network_hardenings.list()
686
hardening_count = sum(1 for _ in hardenings)
687
print(f" Hardening Resources: {hardening_count}")
688
689
# Topology Analysis
690
print("\n3. Network Topology:")
691
topology = client.topology.list()
692
resources_with_recommendations = 0
693
total_topology_resources = 0
694
695
for topo in topology:
696
if topo.topology_resources:
697
for resource in topo.topology_resources:
698
total_topology_resources += 1
699
if resource.recommendationsExist:
700
resources_with_recommendations += 1
701
702
print(f" Total Resources: {total_topology_resources}")
703
print(f" Resources with Recommendations: {resources_with_recommendations}")
704
705
# Connection Analysis
706
print("\n4. Network Connections:")
707
connections = client.allowed_connections.list()
708
total_connections = 0
709
710
for conn in connections:
711
if conn.connectable_resources:
712
total_connections += len(conn.connectable_resources)
713
714
print(f" Connectable Resources: {total_connections}")
715
716
return {
717
"jit_policies": total_policies,
718
"active_jit_requests": active_requests,
719
"hardening_resources": hardening_count,
720
"topology_resources": total_topology_resources,
721
"resources_with_recommendations": resources_with_recommendations,
722
"connectable_resources": total_connections
723
}
724
725
# Generate the dashboard
726
dashboard_data = create_network_security_dashboard()
727
```