Open tksh164 opened 1 month ago
I created these KQLs to find resources which use AzureUpdateDelivery or AzureFrontDoor.FirstpPrty tags. However, rules in Azure Firewall policy could not be searched in KQL.
for NSGs
resources
| where type =~ "Microsoft.Network/NetworkSecurityGroups"
| mv-expand rule = properties.securityRules
| extend source = rule.properties.sourceAddressPrefix
| extend destination = rule.properties.destinationAddressPrefix
| extend ruleName = rule.name
| where source == "AzureUpdateDelivery" or destination == "AzureUpdateDelivery" or source == "AzureFrontDoor.FirstParty" or destination == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, source, destination
for Route Tables
resources
| where type =~ "Microsoft.Network/routetables"
| mv-expand route = properties.routes
| extend routeName = route.name
| extend addressPrefix = route.properties.addressPrefix
| where addressPrefix == "AzureUpdateDelivery" or addressPrefix == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, routeName, addressPrefix
for Azure Firewall (classic rules)
resources
| where type =~ "Microsoft.Network/AzureFirewalls"
| mv-expand nwRules = properties.networkRuleCollections
| mv-expand nwRule = nwRules.properties.rules
| extend ruleName = nwRule.name
| extend sourceAddresses = nwRule.sourceAddresses
| extend destinationAddresses = nwRule.destinationAddresses
| where sourceAddresses contains "AzureUpdateDelivery" or destinationAddresses contains "AzureUpdateDelivery" or sourceAddresses contains "AzureFrontDoor.FirstParty" or destinationAddresses contains "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, sourceAddresses, destinationAddresses
Describe the solution you'd like
Azure Update Delivery service tag is being deprecated. So, we should detect it if customers are using that service tag.
Changes coming to the Azure Update Delivery service tag
Available service tags
The above deprecation will affect the following resources at least:
Describe alternatives you've considered
n/a
Additional context
n/a