Activity logs only get recorded when a change is made and are retained for 90 days. A diagnostic setting will only transfer new changes. This method could only find duplicate NSG rules they were both made withing that timeframe. Your workspace may also be on the default 30 days retention. It might be better to query the Resource Graph to compare all current NSG rules. Unfortunately, I don't think you can call the resource graph from an alert rule. Workbooks can query the graph. Maybe a workbook that lists all of the NSG rules and flags duplicates would be sufficient. I wouldn't be surprised if there is already a workbook to help review NSG configuration. I think Defender for Servers does some NSG evaluation called Adaptive Network Hardening.
KQL Query to match NSG Inbound Rules with other Resource Group NSG Inbound Rules.
I'm looking to create an Azure monitor alert to compare NSG Inbound Rules with other RG NSG Rules. If the Rules did not match then should be fired an alert.
For the same, I enabled Diagnostic settings under both NSG and set the same Log Analytics Workspace one week ago.
The Table ("Azure Activity") under Log Analytics Workspace won't show me any Results. What would be the cause?
Secondly, how it possible to compare using KQL? the KQL Query as per below is correct?
let primary_nsg = "<primary_nsg_name>"; let secondary_nsg = "<secondary_nsg_name>"; let primary_rg = "<primary_resource_group_name>"; let secondary_rg = "<secondary_resource_group_name>"; let primary_rules = AzureNetworkSecurityGroupRule | where ResourceGroup == primary_rg and SecurityRuleDirection == "Inbound" and NetworkSecurityGroupName == primary_nsg | project-away ResourceId, SubscriptionId, ResourceGroup, NetworkSecurityGroupName; let secondary_rules = AzureNetworkSecurityGroupRule | where ResourceGroup == secondary_rg and SecurityRuleDirection == "Inbound" and NetworkSecurityGroupName == secondary_nsg | project-away ResourceId, SubscriptionId, ResourceGroup, NetworkSecurityGroupName; let diff = set_difference(primary_rules, secondary_rules);
Sign in to comment
Thanks, @Andrew Blumhardt I'm working on Disaster Recovery Failover Feature. Azure won't Replicate NSG Rules Automatically to the secondary Region. So I need to create them manually before failover. I just want to get an alert if the NSG Inbound Rules won't match with the Secondary region NSG Inbound Rules. This is for Production Servers. Do you have any other solution for this scenario?
@Andrew Blumhardt Is it possible to get an alert if NSG Inbound rules don't match with another NSG using signal "create or Update Network Security Group" Operation: "Microsoft.Network/networkSecurityGroups/write"
Rahul - Thanks for posting a follow up question. I believe, it is not possible if NSG Inbound rules don't match with another NSG. But I have reached out to our product team to get a response on this, I will get back to you as soon as I hear back from them. Thanks.
Sign in to comment
1 additional answer
Sort by: Most helpful
@Rahul - Thanks for reaching out to us and for being patient while I was trying to gather more information on this.
So, this feature is currently being developed for this semester and I am gathering more information on the timelines. And at this moment the workaround is looks like you needed Infra-as-code, ideally you would have their desired state for NSGs in some git repo, and that would be then propagated (for example, daily) to both regions.
If you don't want to go IaC just yet, I would recommend building something with Azure Automation and Azure Resource Graph: a PowerShell script could check the NSGs, and raise an alert when there is a discrepancy. The script could be either run periodically or triggered by changes to NSGs.
Hope this helps. and please feel free to reach out if you have any further questions.
If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.