cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

[Feature] Add support for Azure Firewall, Public IPs, and VM network relationships

Open kunaals opened this issue 2 weeks ago • 0 comments

Summary

Extend Azure networking support in Cartography to include Azure Firewall, Public IP addresses, and complete VM-to-network relationships. Currently, Cartography ingests VMs, VNets, Subnets, and NSGs, but lacks the full network path from VMs through NICs to public IPs and Azure Firewall configurations.

Motivation

Understanding the complete network topology and exposure of Azure VMs is critical for security analysis. The current Azure module captures VMs and some network resources, but misses key components needed to answer questions like:

  • Which VMs have public IP addresses?
  • What firewall rules protect my workloads?
  • What is the full network path from internet to VM?

By adding these resources, Cartography can surface:

  • VMs with direct public IP exposure
  • Azure Firewall rules and their application
  • Network interface configurations and IP assignments
  • Complete VM → NIC → Subnet → NSG → Public IP relationships
  • Firewall policy rules and threat intelligence configurations

This unlocks graph-based security analysis such as:

  • Identifying VMs directly exposed to the internet
  • Auditing firewall rule coverage
  • Detecting VMs without NSG protection
  • Mapping network attack paths to compute resources
  • Tracking public IP allocations across subscriptions

Proposed Solution

Extend the Azure intel module to add the following:

New Nodes:

  • AzureFirewall - Azure Firewall instances
  • AzureFirewallPolicy - Firewall policies
  • AzureFirewallRule - Individual firewall rules (NAT, Network, Application)
  • AzurePublicIPAddress - Public IP addresses
  • AzureNetworkInterface - Network interfaces

New Relationships:

  • (:AzureSubscription)-[:RESOURCE]->(:AzureFirewall)
  • (:AzureFirewall)-[:USES_POLICY]->(:AzureFirewallPolicy)
  • (:AzureFirewallPolicy)-[:HAS_RULE]->(:AzureFirewallRule)
  • (:AzureFirewall)-[:IN_SUBNET]->(:AzureSubnet)
  • (:AzureSubscription)-[:RESOURCE]->(:AzurePublicIPAddress)
  • (:AzureNetworkInterface)-[:HAS_PUBLIC_IP]->(:AzurePublicIPAddress)
  • (:AzureNetworkInterface)-[:PART_OF_SUBNET]->(:AzureSubnet)
  • (:AzureVirtualMachine)-[:HAS_NIC]->(:AzureNetworkInterface)
  • (:AzureNetworkInterface)-[:PROTECTED_BY]->(:AzureNetworkSecurityGroup)

Enhance existing nodes:

  • Add NSG security rules as properties or sub-nodes on AzureNetworkSecurityGroup

Azure APIs to integrate:

  • NetworkManagementClient.azure_firewalls.list_all()
  • NetworkManagementClient.firewall_policies.list_all()
  • NetworkManagementClient.public_ip_addresses.list_all()
  • NetworkManagementClient.network_interfaces.list_all()

Alternatives Considered

  • Relying solely on NSGs for security analysis - NSGs don't capture Azure Firewall (a separate service) or the full network topology
  • Using Azure Resource Graph queries externally - loses the benefit of Cartography's unified graph model

Relevant Links

kunaals avatar Dec 08 '25 19:12 kunaals