Azure Introduction
Azure Pricing
Azure Threats
Network Watchers Not Provisioned
More Info:
Ensure that Network Watcher service is enabled and Network Watchers are provisioned within your Azure account subscriptions to help you monitor and diagnose various conditions at the network level. Microsoft Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources within a virtual network.
Risk Level
Medium
Address
Security
Compliance Standards
CISAZURE, CBP, SOC2, ISO27001, HIPAA, GDPR, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of “Network Watchers Not Provisioned” in Azure using the Azure console, please follow the below steps:
- Login to the Azure portal (https://portal.azure.com/).
- Select the subscription where the issue is occurring.
- Navigate to the “Network Watcher” service.
- Select the “Network Watchers” option from the left-hand menu.
- Click on the “Add” button to create a new Network Watcher.
- In the “Basics” tab, provide a name for the Network Watcher and select the region where you want to deploy it.
- In the “Review + create” tab, review the settings, and click on the “Create” button to create the Network Watcher.
- Once the Network Watcher is created, navigate to the “Virtual Network” service.
- Select the virtual network where you want to enable Network Watcher.
- Click on the “Network Watcher” option from the left-hand menu.
- Select the “Configure” option and enable the Network Watcher.
- Once the Network Watcher is enabled, you can use it to monitor and diagnose your virtual network.
By following the above steps, you can remediate the misconfiguration of “Network Watchers Not Provisioned” in Azure using the Azure console.
To remediate the “Network Watchers Not Provisioned” misconfiguration in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI on your local machine or in the Azure portal.
-
Login to your Azure account using the command:
az login
-
Check if the Network Watcher is already provisioned in your Azure subscription using the command:
az network watcher list
-
If the Network Watcher is not provisioned, create a new Network Watcher using the command:
az network watcher create --name <network-watcher-name> --location <location>
Replace
<network-watcher-name>
with a unique name for the Network Watcher and<location>
with the location where you want to create the Network Watcher. -
Once the Network Watcher is provisioned, you can enable it for a specific virtual network using the command:
az network watcher configure --locations <location> --enabled true --resource-group <resource-group-name> --name <network-watcher-name>
Replace
<location>
with the location where the virtual network is located,<resource-group-name>
with the name of the resource group containing the virtual network, and<network-watcher-name>
with the name of the Network Watcher you created in step 4. -
Verify that the Network Watcher is now provisioned and enabled using the command:
az network watcher show --name <network-watcher-name> --resource-group <resource-group-name>
Replace
<network-watcher-name>
with the name of the Network Watcher you created and<resource-group-name>
with the name of the resource group containing the Network Watcher. -
Repeat steps 5 and 6 for each virtual network that you want to enable Network Watcher on.
Once you have completed these steps, you should have remediated the “Network Watchers Not Provisioned” misconfiguration in Azure using Azure CLI.
To remediate the misconfiguration “Network Watchers Not Provisioned” in Azure using Python, follow these steps:
- Import the necessary libraries:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.network import NetworkManagementClient
- Authenticate with Azure using a Service Principal:
TENANT_ID = '<your-tenant-id>'
CLIENT_ID = '<your-client-id>'
CLIENT_SECRET = '<your-client-secret>'
SUBSCRIPTION_ID = '<your-subscription-id>'
credentials = ServicePrincipalCredentials(
client_id=CLIENT_ID,
secret=CLIENT_SECRET,
tenant=TENANT_ID
)
- Create a Network Management client object:
network_client = NetworkManagementClient(
credentials=credentials,
subscription_id=SUBSCRIPTION_ID
)
- Check if Network Watchers are provisioned:
watchers = list(network_client.network_watchers.list())
if len(watchers) == 0:
print("No Network Watchers are provisioned in the subscription")
else:
print("Network Watchers are provisioned in the subscription")
- If Network Watchers are not provisioned, create a new Network Watcher:
WATCHER_RG_NAME = '<your-watcher-resource-group-name>'
WATCHER_NAME = '<your-watcher-name>'
WATCHER_LOCATION = '<your-watcher-location>'
watcher_params = {
'location': WATCHER_LOCATION
}
watcher = network_client.network_watchers.create_or_update(
resource_group_name=WATCHER_RG_NAME,
network_watcher_name=WATCHER_NAME,
parameters=watcher_params
)
print("Network Watcher created with name '{}'".format(watcher.name))
- Verify that Network Watchers are now provisioned:
watchers = list(network_client.network_watchers.list())
if len(watchers) == 0:
print("No Network Watchers are provisioned in the subscription")
else:
print("Network Watchers are provisioned in the subscription")
Once you have completed these steps, the “Network Watchers Not Provisioned” misconfiguration should be remediated in Azure.