Skip to content

feat(scanner): propose cross-service Azure Private Endpoint security pack #195

Description

@TFT444

Problem

OpenShield currently checks Key Vault private access in AZ-KV-002, but it has no consistent Private Endpoint coverage for other high-value Azure PaaS services. A private endpoint alone does not disable a service's public endpoint, so both connectivity and public-network state must be evaluated.

Existing coverage that will not be duplicated

  • AZ-KV-002: Key Vault public access without a private endpoint.
  • AZ-NET-007: Application Gateway WAF.

Proposed first-phase rules

Rule ID Check Severity
AZ-PE-001 Storage Account permits public access without required private endpoints HIGH
AZ-PE-002 Azure SQL logical server permits public access without a private endpoint HIGH
AZ-PE-003 PostgreSQL Flexible Server permits public access without private networking HIGH
AZ-PE-004 Web App or Function App permits public access without a private endpoint/access restriction HIGH
AZ-PE-005 Recovery Services vault permits public access without a private endpoint HIGH
AZ-PE-006 Private endpoint connection is pending, rejected, or disconnected MEDIUM

Maintainers should approve the AZ-PE prefix and supported-service boundary before implementation.

Design requirements

  • Evaluate service public-network controls and private endpoint connection state together.
  • Never assume that the presence of a private endpoint disables public access.
  • For Azure Storage, account for separate blob, file, queue, table, web, and DFS subresources without claiming complete isolation from one endpoint.
  • Use Azure SDK accessors with explicit successful-empty versus API-failure states.
  • Avoid false positives for service tiers that do not support Private Link; report unsupported tiers separately or skip with documented reasoning.
  • Validate connection status using exact provisioning/approval values.
  • Add service-specific metadata only; do not expose DNS configuration, IP addresses, secrets, or connection strings unnecessarily.

Out of scope

  • Key Vault, already covered by AZ-KV-002.
  • Creating private DNS records automatically.
  • Automatically disabling public access before private DNS and connectivity are validated.
  • Subnet NSG/UDR policy analysis, which should be a separate advanced networking phase.

Acceptance criteria

  • Maintainers approve the prefix and exact service list.
  • Every service rule documents supported tiers and required permissions.
  • A private endpoint with public access still enabled is evaluated correctly.
  • Storage subresource coverage is explicit and testable.
  • Compliant, non-compliant, unsupported-tier, unknown, and API-failure cases are tested.
  • Playbooks require explicit confirmation before connectivity changes.
  • Full repository CI and security checks pass.
  • No implementation begins before approval.

References

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
🔨 In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions