When securing an Azure subscription there are a whole bunch of important things to do – many of these Microsoft has documented very well on their website. One thing that isn’t well documented is how to monitor the creation of public IP addresses in your subscription.
Public IP addresses connect your Azure environment to the internet so they are the route in for a hacker. They are probably also one of the things that a hacker might look to create once they have gained access in order to enable them to easily exfiltrate anything worth having.
Clearly not all public IP addresses created a bad – you do want to connect to the internet after all – but unexpected creation of public IP addresses can be a sign of poor management, lack of expertise in Azure or that someone has gained access.
So how do you monitor address creation?
So how do we alert on public IP address creation?
First log into the Azure Portal at portal.azure.com
Once there don’t be fooled into entering “Alert” into the search bar at the top –
This unhelpfully takes you to the classic alerts experience:
And tells you “This is the retired classic alerts experience” and provides a link to the “New rules experience”
Instead start out by clicked “Monitor” in the left navigation
Then once in the “Monitor – Overview” pane select “Alerts from the inner left navigation
We now need to create a new alert rule and a new action group. Start by selecting “+New alert rule”:
This brings up the Create rule dialogue page where we need to specify the resource we want to monitor, the condition we are waiting to experience, the action we want to take when the condition occurs, and the name and description of the alert.
I have populated the resource with my subscription name and then selected “Add” under the “CONDITION” section to get the list of all possible conditions and in the search box written “public”:
When I select “Create or Update Public Ip Address” the “Configure signal logic tab is brought up:
Notice that at present it shows that no events have occurred for the past 6 hours. The Alert logic allows me to specify the Event Level, Status and who/what the event was initiated by – but if I configure this wrongly then the alert won’t detect anything – for example one of the Event Level options is “critical” but if I choose this then the alert won’t trigger as Microsoft don’t consider the “Create or Update Public Ip Address” event to be critical.
Its worth completing the event you want to monitor before configuring the alert so when you get to this stage you can double check that its detected correctly. In this case the event level is “Informational” and I’m interested in a status of “Succeeded” and I don’t care who or how the event was initiated. I know that I have it set correctly because I can see that yesterday I created a public IP address from the chart.
Select “Done” from the bottom of the Alert logic tab.
Next, back in the Create rule dialogue, we need to create a Action group by selecting “Create action group”:
A single action group can contain many actions – in this instance we will create an action group containing a single action which will be to email me. I have filled in the various boxes and selected the action type of “Email/SMS/Push/Voice” and then enabled the email option.
Now select “OK” to the Email/SMS/Push/Voice” dialogue, and then “OK” on the “Add action group” dialogue also.
Finally complete the Alert Details at the bottom of the “Create rule” dialogue and then select “Create alert rule”:
Once completed you can see the alert in the list of alert rules:
Now finally we can test it by creating a public IP address.
And then checking the email…