Post

Which subnet has Service Endpoint (and VM)?

The Service Endpoint vs. Private Endpoint debate is a never ending story. I believe both have their place in the Azure ecosystem, and I use both, as each has its own advantages and disadvantages. In this article, I will share a KQL query that can help you identify subnets where a Service Endpoint is enabled and a network interface exists at the same time.

From an IT security perspective, it is important to know which subnets have Service Endpoints enabled. Resources in these subnets can bypass the central firewall and potentially access storage accounts over the world.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Resources
| where type =~ 'microsoft.network/virtualnetworks'
| mv-expand subnet = properties.subnets
| extend subnetId = tostring(subnet.id),
         subnetName = tostring(subnet.name),
         serviceEndpoints = todynamic(subnet.properties.serviceEndpoints)
| mv-expand se = serviceEndpoints
| extend service = tostring(se.service)
| where isnotempty(service)
| project subscriptionId, resourceGroup, virtualNetwork = name, subnetName, subnetId, service
| join kind=inner (
    Resources
    | where type =~ 'microsoft.network/networkinterfaces'
    | mv-expand ipconfig = properties.ipConfigurations
    | extend subnetId = tostring(ipconfig.properties.subnet.id)
    | where isnotempty(subnetId)
    | summarize nicCount = count(), exampleNic = any(name) by subnetId
) on subnetId
| summarize services = make_set(service), nicCount = any(nicCount), exampleNic = any(exampleNic)
    by subscriptionId, resourceGroup, virtualNetwork, subnetName, subnetId
| order by resourceGroup, virtualNetwork, subnetName asc
This post is licensed under CC BY 4.0 by the author.