Adaptive Network Hardenings - Enforce

Service:

Defender for Cloud

API Version:

2020-01-01

Applique les règles spécifiées sur le ou les groupes de sécurité réseau répertoriés dans la demande

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/adaptiveNetworkHardenings/{adaptiveNetworkHardeningResourceName}/enforce?api-version=2020-01-01

Paramètres URI

Nom	Dans	Obligatoire	Type	Description
adaptiveNetworkHardeningEnforceAction	path	True	AdaptiveNetworkHardeningEnforceAction	Applique les règles spécifiées sur le ou les groupes de sécurité réseau répertoriés dans la demande
adaptiveNetworkHardeningResourceName	path	True	string	Nom de la ressource de renforcement du réseau adaptatif.
resourceGroupName	path	True	string	Nom du groupe de ressources dans l’abonnement de l’utilisateur. Le nom ne respecte pas la casse. Regex pattern: ^[-\w\._\(\)]+$
resourceName	path	True	string	Nom de la ressource.
resourceNamespace	path	True	string	Espace de noms de la ressource.
resourceType	path	True	string	Type de la ressource.
subscriptionId	path	True	string	ID d’abonnement Azure Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$
api-version	query	True	string	Version de l’API pour l’opération

Corps de la demande

Nom	Obligatoire	Type	Description
networkSecurityGroups	True	string[]	ID de ressources Azure des groupes de sécurité réseau effectifs qui seront mis à jour avec les règles de sécurité créées à partir des règles de renforcement du réseau adaptatif
rules	True	Rule[]	Règles à appliquer

Réponses

Nom	Type	Description
200 OK		OK.
202 Accepted		Accepté
Other Status Codes	CloudError	Réponse d’erreur décrivant la raison de l’échec de l’opération.

Sécurité

azure_auth

Flux OAuth2 Azure Active Directory

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Nom	Description
user_impersonation	Emprunter l’identité de votre compte d’utilisateur

Exemples

Enforces the given rules on the NSG(s) listed in the request

Sample Request

HTTP

POST https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/vm1/providers/Microsoft.Security/adaptiveNetworkHardenings/default/enforce?api-version=2020-01-01

{
  "rules": [
    {
      "name": "rule1",
      "direction": "Inbound",
      "destinationPort": 3389,
      "protocols": [
        "TCP"
      ],
      "ipAddresses": [
        "100.10.1.1",
        "200.20.2.2",
        "81.199.3.0/24"
      ]
    },
    {
      "name": "rule2",
      "direction": "Inbound",
      "destinationPort": 22,
      "protocols": [
        "TCP"
      ],
      "ipAddresses": []
    }
  ],
  "networkSecurityGroups": [
    "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg1",
    "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg2"
  ]
}

Java

import com.azure.resourcemanager.security.models.AdaptiveNetworkHardeningEnforceRequest;
import com.azure.resourcemanager.security.models.Direction;
import com.azure.resourcemanager.security.models.Rule;
import com.azure.resourcemanager.security.models.TransportProtocol;
import java.util.Arrays;

/** Samples for AdaptiveNetworkHardenings Enforce. */
public final class Main {
    /*
     * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/AdaptiveNetworkHardenings/EnforceAdaptiveNetworkHardeningRules_example.json
     */
    /**
     * Sample code: Enforces the given rules on the NSG(s) listed in the request.
     *
     * @param manager Entry point to SecurityManager.
     */
    public static void enforcesTheGivenRulesOnTheNSGSListedInTheRequest(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager
            .adaptiveNetworkHardenings()
            .enforce(
                "rg1",
                "Microsoft.Compute",
                "virtualMachines",
                "vm1",
                "default",
                new AdaptiveNetworkHardeningEnforceRequest()
                    .withRules(
                        Arrays
                            .asList(
                                new Rule()
                                    .withName("rule1")
                                    .withDirection(Direction.INBOUND)
                                    .withDestinationPort(3389)
                                    .withProtocols(Arrays.asList(TransportProtocol.TCP))
                                    .withIpAddresses(Arrays.asList("100.10.1.1", "200.20.2.2", "81.199.3.0/24")),
                                new Rule()
                                    .withName("rule2")
                                    .withDirection(Direction.INBOUND)
                                    .withDestinationPort(22)
                                    .withProtocols(Arrays.asList(TransportProtocol.TCP))
                                    .withIpAddresses(Arrays.asList())))
                    .withNetworkSecurityGroups(
                        Arrays
                            .asList(
                                "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg1",
                                "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg2")),
                com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/AdaptiveNetworkHardenings/EnforceAdaptiveNetworkHardeningRules_example.json
func ExampleAdaptiveNetworkHardeningsClient_BeginEnforce() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewAdaptiveNetworkHardeningsClient().BeginEnforce(ctx, "rg1", "Microsoft.Compute", "virtualMachines", "vm1", "default", armsecurity.AdaptiveNetworkHardeningEnforceRequest{
		NetworkSecurityGroups: []*string{
			to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg1"),
			to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg2")},
		Rules: []*armsecurity.Rule{
			{
				Name:            to.Ptr("rule1"),
				DestinationPort: to.Ptr[int32](3389),
				Direction:       to.Ptr(armsecurity.DirectionInbound),
				IPAddresses: []*string{
					to.Ptr("100.10.1.1"),
					to.Ptr("200.20.2.2"),
					to.Ptr("81.199.3.0/24")},
				Protocols: []*armsecurity.TransportProtocol{
					to.Ptr(armsecurity.TransportProtocolTCP)},
			},
			{
				Name:            to.Ptr("rule2"),
				DestinationPort: to.Ptr[int32](22),
				Direction:       to.Ptr(armsecurity.DirectionInbound),
				IPAddresses:     []*string{},
				Protocols: []*armsecurity.TransportProtocol{
					to.Ptr(armsecurity.TransportProtocolTCP)},
			}},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	_, err = poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Enforces the given rules on the NSG(s) listed in the request
 *
 * @summary Enforces the given rules on the NSG(s) listed in the request
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/AdaptiveNetworkHardenings/EnforceAdaptiveNetworkHardeningRules_example.json
 */
async function enforcesTheGivenRulesOnTheNsgSListedInTheRequest() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const resourceGroupName = process.env["SECURITY_RESOURCE_GROUP"] || "rg1";
  const resourceNamespace = "Microsoft.Compute";
  const resourceType = "virtualMachines";
  const resourceName = "vm1";
  const adaptiveNetworkHardeningResourceName = "default";
  const body = {
    networkSecurityGroups: [
      "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg1",
      "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg2",
    ],
    rules: [
      {
        name: "rule1",
        destinationPort: 3389,
        direction: "Inbound",
        ipAddresses: ["100.10.1.1", "200.20.2.2", "81.199.3.0/24"],
        protocols: ["TCP"],
      },
      {
        name: "rule2",
        destinationPort: 22,
        direction: "Inbound",
        ipAddresses: [],
        protocols: ["TCP"],
      },
    ],
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.adaptiveNetworkHardenings.beginEnforceAndWait(
    resourceGroupName,
    resourceNamespace,
    resourceType,
    resourceName,
    adaptiveNetworkHardeningResourceName,
    body,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/AdaptiveNetworkHardenings/EnforceAdaptiveNetworkHardeningRules_example.json
// this example is just showing the usage of "AdaptiveNetworkHardenings_Enforce" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this AdaptiveNetworkHardeningResource created on azure
// for more information of creating AdaptiveNetworkHardeningResource, please refer to the document of AdaptiveNetworkHardeningResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string resourceGroupName = "rg1";
string resourceNamespace = "Microsoft.Compute";
string resourceType = "virtualMachines";
string resourceName = "vm1";
string adaptiveNetworkHardeningResourceName = "default";
ResourceIdentifier adaptiveNetworkHardeningResourceId = AdaptiveNetworkHardeningResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName);
AdaptiveNetworkHardeningResource adaptiveNetworkHardening = client.GetAdaptiveNetworkHardeningResource(adaptiveNetworkHardeningResourceId);

// invoke the operation
AdaptiveNetworkHardeningEnforceContent content = new AdaptiveNetworkHardeningEnforceContent(new RecommendedSecurityRule[]
{
new RecommendedSecurityRule()
{
Name = "rule1",
Direction = SecurityTrafficDirection.Inbound,
DestinationPort = 3389,
Protocols =
{
SecurityTransportProtocol.Tcp
},
IPAddresses =
{
"100.10.1.1","200.20.2.2","81.199.3.0/24"
},
},new RecommendedSecurityRule()
{
Name = "rule2",
Direction = SecurityTrafficDirection.Inbound,
DestinationPort = 22,
Protocols =
{
SecurityTransportProtocol.Tcp
},
IPAddresses =
{
},
}
}, new string[]
{
"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg1","/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg2"
});
await adaptiveNetworkHardening.EnforceAsync(WaitUntil.Completed, content);

Console.WriteLine($"Succeeded");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

Status code:

202

Définitions

Nom	Description
AdaptiveNetworkHardeningEnforceAction	Applique les règles spécifiées sur le ou les groupes de sécurité réseau répertoriés dans la demande
AdaptiveNetworkHardeningEnforceRequest
CloudError	Réponse d’erreur courante pour toutes les API Azure Resource Manager pour retourner les détails de l’erreur concernant les opérations ayant échoué. (Cela suit également le format de réponse d’erreur OData.).
CloudErrorBody	Détail de l’erreur.
direction	Direction de la règle
ErrorAdditionalInfo	Informations supplémentaires sur l’erreur de gestion des ressources.
Rule	Décrit les adresses distantes recommandées pour communiquer avec la ressource Azure sur certaines (protocole, port, direction). Il est recommandé de bloquer toutes les autres adresses distantes
transportProtocol	Protocoles de transport de la règle

AdaptiveNetworkHardeningEnforceAction

Applique les règles spécifiées sur le ou les groupes de sécurité réseau répertoriés dans la demande

Nom	Type	Description
enforce	string

AdaptiveNetworkHardeningEnforceRequest

Nom	Type	Description
networkSecurityGroups	string[]	ID de ressources Azure des groupes de sécurité réseau effectifs qui seront mis à jour avec les règles de sécurité créées à partir des règles de renforcement du réseau adaptatif
rules	Rule[]	Règles à appliquer

CloudError

Réponse d’erreur courante pour toutes les API Azure Resource Manager pour retourner les détails de l’erreur concernant les opérations ayant échoué. (Cela suit également le format de réponse d’erreur OData.).

Nom	Type	Description
error.additionalInfo	ErrorAdditionalInfo[]	Informations supplémentaires sur l’erreur.
error.code	string	Code d'erreur.
error.details	CloudErrorBody[]	Détails de l’erreur.
error.message	string	Message d’erreur.
error.target	string	Cible d’erreur.

CloudErrorBody

Détail de l’erreur.

Nom	Type	Description
additionalInfo	ErrorAdditionalInfo[]	Informations supplémentaires sur l’erreur.
code	string	Code d'erreur.
details	CloudErrorBody[]	Détails de l’erreur.
message	string	Message d’erreur.
target	string	Cible d’erreur.

direction

Direction de la règle

Nom	Type	Description
Inbound	string
Outbound	string

ErrorAdditionalInfo

Informations supplémentaires sur l’erreur de gestion des ressources.

Nom	Type	Description
info	object	Informations supplémentaires
type	string	Type d’informations supplémentaires.

Rule

Décrit les adresses distantes recommandées pour communiquer avec la ressource Azure sur certaines (protocole, port, direction). Il est recommandé de bloquer toutes les autres adresses distantes

Nom	Type	Description
destinationPort	integer	Port de destination de la règle
direction	direction	Direction de la règle
ipAddresses	string[]	Adresses IP distantes qui doivent être en mesure de communiquer avec la ressource Azure sur le port et le protocole de destination de la règle
name	string	Nom de la règle
protocols	transportProtocol[]	Protocoles de transport de la règle

transportProtocol

Protocoles de transport de la règle

Nom	Type	Description
TCP	string
UDP	string