NQE - Find Azure VNETs that are Not Modeled

  • 22 January 2024
  • 0 replies
  • 24 views
RobertWelch
Rank
Userlevel 3

Azure VNet peering and Global VNet peering routes the subnets in each VNet as defined by the VNet routing table.  In some cases the Cloud Account configured in the Forward Networks platform does not have permission to enumerate all the necessary VNets.  One needs to update the Microsoft Azure subscriptions service principals to include the missing VNets. 

But how does one find the VNets that are not modeled but referenced by other VNets?  NQE, of course.  

The method of finding missing VNets is fairly straightforward.  Similar to using the widely used “check for missing next hop route peers” NQE query, this NQE performs a similar task.

/**
 * @intent List VPCs / Microsoft Azure VNets that are not modeled. 
 * @description Need the Microsoft subscriptions to be added to the service principal. See the VPC / VNet values in the destinationVPCId column.
 */

idsOfCollectedVpcs =
  foreach cloudAccount in network.cloudAccounts
  foreach vpc in cloudAccount.vpcs
  select distinct vpc.id;

foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach vpcPeering in vpc.vpcPeerings
where isPresent(vpcPeering.destinationVpcId)
where vpcPeering.destinationVpcId not in idsOfCollectedVpcs
let destinationVpcData = patternMatch(replace(vpcPeering.destinationVpcId, "/", " "),
                                      `subscriptions {subscription:string} resourceGroups {resrouceGroup:string} providers {provider:string} virtualNetworks {virtualNetwork:string}`)
select {
  cloudAccountName: cloudAccount.name,
  vpcId: vpc.id,
  vpcPeeringId: vpcPeering.id,
  name: vpcPeering.name,
  tags: vpcPeering.tags,
  "** destinationVpcId **": vpcPeering.destinationVpcId,
  "Dest Subscription": destinationVpcData.subscription,
  "Dest Resource Group": destinationVpcData.resrouceGroup,
  "Dest Provider": destinationVpcData.provider,
  "Dest Virtual Network": destinationVpcData.virtualNetwork
}

At the time of this post, the VPC / VNet ID values are not individually parsed. Nor are the ID values individually queryable.  Thanks to the work of the FN NQE development team, they reminded me of using patternMatch to parse each value of the ID. 

The wrong method attempted to parse the VPC ID / Vnet values was to use string manipulation using “replace”.  However, string manipulation using “replace” to create CSV Data or a list of records does NOT convert the large string to a data set. 

Example of what will NOT work.  The NQE function “replace” converts a value to a string and does a literal lookup and replace.  There is no regex manipulation possible with “replace”.  The following results in a long string.   This reference is for those that might think this method will work. 

// Try to create the CSV Data - THIS DOES NOT WORK -
// """csv 
// subscription,resourceGroups,providers,virtualNetworks 
// <value>,<value>,<value>,value

// Parse out the variables
let destinationVPC = replace(replace(replace(replace(vpcPeering.destinationVpcId,"/subscriptions/",""), "/resourceGroups/", ","), "/providers/", ",") ,"/virtualNetworks/", ",")

// Add the csv wrapper and column headers at the beginning and end.
let destinationVPC = "\"\"\"csv \r subscription,resourceGroups,providers,virtualNetworks \r" + destinationVPC + "\r\"\"\";"

What DOES work, and parses the values, is to use the NQE function “patternMatch”.  This is the same function used to parse configuration matches.  The first step is to replace the “/” in the Id with “,” to be able to parse the values.

let destinationVpcData = patternMatch(replace(vpcPeering.destinationVpcId, "/", " "),
`subscriptions {subscription:string} resourceGroups {resrouceGroup:string} providers {provider:string} virtualNetworks {virtualNetwork:string}`)

The output includes the source VNet and next hop VNet when the next hop is not known.  The ID hyperlink displays additional data for analysis.

Let’s use the old Forward Networks Demo snapshot that is typically used in demonstrations to see what the output looks like.  Since these VNets have long since retired, it it save to use these unredacted. 

 

Left Side of the NQE Output

 

Right Side of the NQE Output

The destinationVpcId is parsed into their individual values in subsequent columns.  The Dest Subscriptions needs to be added to the Cloud Account.  

The vpcID (VNet) values are shown when clicking on the source VNet ID link.  This information is useful to find and visualize on the map or lookup in the Azure portal.  

Click on the vpcID to see the VNet Details

 

Search for the Subscription ID


The second column hyperlink, vpcPeeringID, also brings up the pertinent information including the remote peer subnet highlighted. 

Click on the vpcPeeringiD to see the Peering VNet Details

One could add this NQE to evaluate a newly gathered snapshot and indicate a violation.  

To see all cloud subnets, please search the Forward Networks NQE Community for the “Cloud Routes” NQE example.
 

0 replies

Be the first to reply!

Reply


Badge winners

  • Community Champ Award
    huutho5011has earned the badge Community Champ Award
  • Community Champ Award
    AricaFNhas earned the badge Community Champ Award
  • Founding Member
    rrogers33has earned the badge Founding Member
  • Founding Member
    Si_Pricehas earned the badge Founding Member
  • Founding Member
    NQEwizardhas earned the badge Founding Member
Show all badges
Terms of UseCookie settings