问题描述
在Azure Resource Graph Explorer页面中,查看Azure Key Vault资源的公网访问状态,哪一种值才表示公网不可访问此资源呢?
查询的Query语句:
resources // | where name == <your keyvault name> | where type == "microsoft.keyvault/vaults" | extend ipRulesCount = array_length(properties.networkAcls.ipRules), vnrCount = array_length(properties.networkAcls.virtualNetworkRules) | project properties.publicNetworkAccess, properties.networkAcls.defaultAction, ipRulesCount , vnrCount
PS: Azure Resource Graph Explorer 页面 ( https://portal.azure.cn/#view/HubsExtension/ArgQueryBlade )
问题解答
对比Key Vault的Networking配置,可以得出如下表格:
Allow public access from all networks 允许所有公网访问 |
Allow public access from specific virtual networks and IP addresses 只允许指定的IP地址或者私网访问 |
Disable public access 关闭公网访问 |
|
| properties.publicNetworkAccess | Enabled | Enabled | Disabled |
| properties.networkAcls.defaultAction | null / Allow | Deny | Deny |
根据以上表格,只要 properties.networkAcls.defaultAction == Deny 或者 properties.publicNetworkAccess == Disabled 就可以表示,当前资源是不可以被全部公网访问的。
参考资料
Kusto Query Language overview : https://learn.microsoft.com/en-us/kusto/query/?view=microsoft-fabric
array_length() :https://learn.microsoft.com/en-us/kusto/query/array-length-function?view=microsoft-fabric
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!
