steampipe plugin install azure

Table: azure_virtual_network - Query Azure Virtual Networks using SQL

Azure Virtual Networks is a fundamental building block for your private network in Azure. It enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. Azure virtual network is similar to a traditional network that you'd operate in your own data center but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.

Table Usage Guide

The azure_virtual_network table provides detailed information about each virtual network within an Azure subscription. As a network administrator or cloud architect, you can use this table to gather data about the subnets, IP address ranges, and connected devices within each virtual network. This information can be used to monitor network usage, plan for capacity, and ensure the network is correctly configured for your applications' requirements.

Examples

List of virtual networks where DDoS(Distributed Denial of Service attacks) Protection is not enabled

Discover the segments of your virtual networks that are potentially vulnerable to Distributed Denial of Service (DDoS) attacks, as they do not have DDoS protection enabled. This information can help prioritize areas for security enhancement and risk mitigation.

select
name,
enable_ddos_protection,
region,
resource_group
from
azure_virtual_network
where
not enable_ddos_protection;
select
name,
enable_ddos_protection,
region,
resource_group
from
azure_virtual_network
where
enable_ddos_protection is not 1;

CIDR list for each virtual network

Determine the areas in which your Azure virtual networks operate by identifying their respective address blocks. This can help in network planning and management by providing a clear view of the network's structure and usage.

select
name,
jsonb_array_elements_text(address_prefixes) as address_block
from
azure_virtual_network;
select
name,
json_each.value as address_block
from
azure_virtual_network,
json_each(azure_virtual_network.address_prefixes);

List VPCs with public CIDR blocks

Determine the areas in which Virtual Private Networks (VPCs) have public CIDR blocks, allowing you to assess network accessibility and security risks. This is particularly useful in identifying potential exposure of your Azure virtual networks to the public internet.

select
name,
cidr_block,
region,
resource_group
from
azure_virtual_network
cross join jsonb_array_elements_text(address_prefixes) as cidr_block
where
not cidr_block :: cidr = '10.0.0.0/16'
and not cidr_block :: cidr = '192.168.0.0/16'
and not cidr_block :: cidr = '172.16.0.0/12';
Error: SQLite does not support CIDR operations.

Subnet details associated with the virtual network

Determine the areas in which subnets interact with your virtual network. This query helps to analyze the configuration of these subnets, providing insights into their address prefixes, network policies, service endpoints, and route tables, which can be useful for network management and troubleshooting.

select
name,
subnet ->> 'name' as subnet_name,
subnet -> 'properties' ->> 'addressPrefix' as address_prefix,
subnet -> 'properties' ->> 'privateEndpointNetworkPolicies' as private_endpoint_network_policies,
subnet -> 'properties' ->> 'privateLinkServiceNetworkPolicies' as private_link_service_network_policies,
subnet -> 'properties' ->> 'serviceEndpoints' as service_endpoints,
split_part(subnet -> 'properties' ->> 'routeTable', '/', 9) as route_table
from
azure_virtual_network
cross join jsonb_array_elements(subnets) as subnet;
Error: SQLite does not support split_part function.

Schema for azure_virtual_network

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
address_prefixesjsonbA list of address blocks reserved for this virtual network in CIDR notation
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
enable_ddos_protectionbooleanIndicates if DDoS protection is enabled for all the protected resources in the virtual network
enable_vm_protectionbooleanIndicates if VM protection is enabled for all the subnets in the virtual network
etagtextAn unique read-only string that changes whenever the resource is updated
idtextContains ID to identify a virtual network uniquely
nametext=The friendly name that identifies the virtual network
network_peeringsjsonbA list of peerings in a Virtual Network
provisioning_statetextThe provisioning state of the virtual network resource
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
resource_guidtextThe resourceGuid property of the Virtual Network resource
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subnetsjsonbA list of subnets in a Virtual Network
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextType of the resource

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_virtual_network