Problem
OpenShield currently checks Key Vault private access in AZ-KV-002, but it has no consistent Private Endpoint coverage for other high-value Azure PaaS services. A private endpoint alone does not disable a service's public endpoint, so both connectivity and public-network state must be evaluated.
Existing coverage that will not be duplicated
AZ-KV-002: Key Vault public access without a private endpoint.
AZ-NET-007: Application Gateway WAF.
Proposed first-phase rules
| Rule ID |
Check |
Severity |
AZ-PE-001 |
Storage Account permits public access without required private endpoints |
HIGH |
AZ-PE-002 |
Azure SQL logical server permits public access without a private endpoint |
HIGH |
AZ-PE-003 |
PostgreSQL Flexible Server permits public access without private networking |
HIGH |
AZ-PE-004 |
Web App or Function App permits public access without a private endpoint/access restriction |
HIGH |
AZ-PE-005 |
Recovery Services vault permits public access without a private endpoint |
HIGH |
AZ-PE-006 |
Private endpoint connection is pending, rejected, or disconnected |
MEDIUM |
Maintainers should approve the AZ-PE prefix and supported-service boundary before implementation.
Design requirements
- Evaluate service public-network controls and private endpoint connection state together.
- Never assume that the presence of a private endpoint disables public access.
- For Azure Storage, account for separate blob, file, queue, table, web, and DFS subresources without claiming complete isolation from one endpoint.
- Use Azure SDK accessors with explicit successful-empty versus API-failure states.
- Avoid false positives for service tiers that do not support Private Link; report unsupported tiers separately or skip with documented reasoning.
- Validate connection status using exact provisioning/approval values.
- Add service-specific metadata only; do not expose DNS configuration, IP addresses, secrets, or connection strings unnecessarily.
Out of scope
- Key Vault, already covered by
AZ-KV-002.
- Creating private DNS records automatically.
- Automatically disabling public access before private DNS and connectivity are validated.
- Subnet NSG/UDR policy analysis, which should be a separate advanced networking phase.
Acceptance criteria
References
Problem
OpenShield currently checks Key Vault private access in
AZ-KV-002, but it has no consistent Private Endpoint coverage for other high-value Azure PaaS services. A private endpoint alone does not disable a service's public endpoint, so both connectivity and public-network state must be evaluated.Existing coverage that will not be duplicated
AZ-KV-002: Key Vault public access without a private endpoint.AZ-NET-007: Application Gateway WAF.Proposed first-phase rules
AZ-PE-001AZ-PE-002AZ-PE-003AZ-PE-004AZ-PE-005AZ-PE-006Maintainers should approve the
AZ-PEprefix and supported-service boundary before implementation.Design requirements
Out of scope
AZ-KV-002.Acceptance criteria
References