From 9cb4be7eed7ec4c74ec16b305b83e833535a6d3e Mon Sep 17 00:00:00 2001 From: Benjamin Engeset <99641908+BenjaminEngeset@users.noreply.github.com> Date: Wed, 22 May 2024 07:26:25 +0200 Subject: [PATCH] feat(new): Added Azure.EventHub.Firewall (#2872) * feat(new): Added Azure.EventHub.Firewall * doc: Update changelog * refactor: Updated Azure.EventHub.Firewall * Update for AnyOf function --------- Co-authored-by: Bernie White --- docs/CHANGELOG-v1.md | 4 + docs/en/rules/Azure.EventHub.Firewall.md | 105 ++++++ .../rules/Azure.EventHub.Rule.ps1 | 33 ++ .../Azure.EventHub.Tests.ps1 | 43 ++- .../Resources.EventHub.json | 298 +++++++++++++++++- 5 files changed, 468 insertions(+), 15 deletions(-) create mode 100644 docs/en/rules/Azure.EventHub.Firewall.md diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index 7d295909bf..43c951ed47 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -39,6 +39,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers [#2846](https://github.com/Azure/PSRule.Rules.Azure/issues/2846) - Check that database accounts have public network access disabled by @BenjaminEngeset. [#2702](https://github.com/Azure/PSRule.Rules.Azure/issues/2702) + - Event Hub: + - Check that access to the namespace endpoints is restricted to only allowed sources by @BenjaminEngeset. + [#2701](https://github.com/Azure/PSRule.Rules.Azure/issues/2701) - Updated rules: - API Management: - **Important change**: Updated `Azure.APIM.AvailabilityZone` to improve accuracy with non-premium SKUs by @BenjaminEngeset. @@ -49,6 +52,7 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers - Updated rule doc. - Bumped rule set to `2024_06`. + ## v1.37.0-B0009 (pre-release) What's changed since v1.36.0: diff --git a/docs/en/rules/Azure.EventHub.Firewall.md b/docs/en/rules/Azure.EventHub.Firewall.md new file mode 100644 index 0000000000..3f42ab65a7 --- /dev/null +++ b/docs/en/rules/Azure.EventHub.Firewall.md @@ -0,0 +1,105 @@ +--- +severity: Critical +pillar: Security +category: SE:06 Network controls +resource: Event Hub +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.EventHub.Firewall/ +--- + +# Access to the namespace endpoints should be restricted to only allowed sources + +## SYNOPSIS + +Access to the namespace endpoints should be restricted to only allowed sources. + +## DESCRIPTION + +By default, Event Hub namespaces are accessible from public internet. + +With the firewall feature, it is possible to either fully disabling public network access by ensuring that the namespace endpoints isn't exposed on the public internet or configure rules to only accept traffic from specific addresses. + +## RECOMMENDATION + +Consider restricting network access to the Event Hub namespace by requiring private endpoints or by limiting access to permitted client addresses with the service firewall. + +## EXAMPLES + +### Configure with Azure template + +To deploy Event Hub namespaces that pass this rule: + +- Set the `properties.publicNetworkAccess` property to `Disabled` to require private endpoints. OR +- Alternatively, you can configure the `Microsoft.EventHub/namespaces/networkRuleSets` sub-resource by: + - Setting the `properties.publicNetworkAccess` property to `Disabled` to require private endpoints. OR + - Setting the `properties.defaultAction` property to `Deny` to restrict network access to the service by default. + +For example: + +```json +{ + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2024-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "Standard" + }, + "properties": { + "disableLocalAuth": true, + "minimumTlsVersion": "1.2", + "publicNetworkAccess": "Disabled", + "zoneRedundant": true + } +} +``` + +### Configure with Bicep + +To deploy Event Hub namespaces that pass this rule: + +- Set the `properties.publicNetworkAccess` property to `Disabled` to require private endpoints. OR +- Alternatively, you can configure the `Microsoft.EventHub/namespaces/networkRuleSets` sub-resource by: + - Setting the `properties.publicNetworkAccess` property to `Disabled` to require private endpoints. OR + - Setting the `properties.defaultAction` property to `Deny` to restrict network access to the service by default. + +For example: + +```bicep +resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'Standard' + } + properties: { + disableLocalAuth: true + minimumTlsVersion: '1.2' + publicNetworkAccess: 'Disabled' + zoneRedundant: true + } +} +``` + +## NOTES + +If there are no IP and virtual network rules, all the traffic flows into the namespace even if you set the defaultAction to `deny` on the firewall. The namespace can be accessed over the public internet. Specify at least one IP rule or virtual network rule for the namespace to activate the default action on the firewall. + +The firewall feature isn't supported in the `basic` tier. + +## LINKS + +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Azure security baseline for Event Hub](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline) +- [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) +- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) +- [Allow access to Azure Event Hub namespaces from specific IP addresses or ranges](https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering) +- [Allow access to Azure Event Hub namespaces from specific virtual networks](https://learn.microsoft.com/azure/event-hubs/event-hubs-service-endpoints) +- [Allow access to Azure Event Hub namespaces via private endpoints](https://learn.microsoft.com/azure/event-hubs/private-link-service) +- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.eventhub/namespaces/eventhubs) +- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.eventhub/namespaces/networkrulesets) diff --git a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 index 87c77286a7..e09a1714a0 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 @@ -13,4 +13,37 @@ Rule 'Azure.EventHub.Usage' -Ref 'AZR-000101' -Type 'Microsoft.EventHub/namespac $Assert.GreaterOrEqual($items, '.', 1); } +# Synopsis: Access to the namespace endpoints should be restricted to only allowed sources. +Rule 'Azure.EventHub.Firewall' -Ref 'AZR-000422' -Type 'Microsoft.EventHub/namespaces', 'Microsoft.EventHub/namespaces/networkRuleSets' -If { Test-IsNoBasicTier } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1', 'NS-2' } { + # NB: Microsoft.EventHub/namespaces/networkRuleSets overrides properties.publicNetworkAccess and properties.defaultAction property. + + $firewalls = @($TargetObject) + if ($PSRule.TargetType -eq 'Microsoft.EventHub/namespaces') { + $firewalls = @(GetSubResources -ResourceType 'Microsoft.EventHub/namespaces/networkRuleSets') + } + + if ($firewalls.Count -eq 0 -and $PSRule.TargetType -eq 'Microsoft.EventHub/namespaces') { + $Assert.HasFieldValue($TargetObject, 'properties.publicNetworkAccess', 'Disabled') + } + + else { + foreach ($firewall in $firewalls) { + AnyOf { + $Assert.HasFieldValue($firewall, 'properties.publicNetworkAccess', 'Disabled') + $Assert.HasFieldValue($firewall, 'properties.defaultAction', 'Deny') + } + } + } +} + #endregion Rules + +#region Helper functions + +function global:Test-IsNoBasicTier { + [CmdletBinding()] + param () + -not $Assert.HasFieldValue($TargetObject, 'sku.tier', 'Basic').Result +} + +#endregion Helper functions diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.EventHub.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.EventHub.Tests.ps1 index 7b9c61bce4..dfa1d7eb3c 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.EventHub.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.EventHub.Tests.ps1 @@ -27,10 +27,10 @@ Describe 'Azure.EventHub' -Tag 'EventHub' { Context 'Conditions' { BeforeAll { $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' WarningAction = 'Ignore' - ErrorAction = 'Stop' + ErrorAction = 'Stop' } $dataPath = Join-Path -Path $here -ChildPath 'Resources.EventHub.json'; $result = Invoke-PSRule @invokeParams -InputPath $dataPath; @@ -42,8 +42,8 @@ Describe 'Azure.EventHub' -Tag 'EventHub' { # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'hubns-B', 'hubns-C'; + $ruleResult.Length | Should -Be 5; + $ruleResult.TargetName | Should -BeIn 'hubns-B', 'hubns-C', 'hubns-D', 'hubns-E', 'hubns-F'; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); @@ -58,8 +58,8 @@ Describe 'Azure.EventHub' -Tag 'EventHub' { # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'hubns-B', 'hubns-C'; + $ruleResult.Length | Should -Be 5; + $ruleResult.TargetName | Should -BeIn 'hubns-B', 'hubns-C', 'hubns-D', 'hubns-E', 'hubns-F'; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); @@ -82,8 +82,27 @@ Describe 'Azure.EventHub' -Tag 'EventHub' { # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -BeIn 'hubns-C'; + $ruleResult.Length | Should -Be 4; + $ruleResult.TargetName | Should -BeIn 'hubns-C', 'hubns-D', 'hubns-E', 'hubns-F'; + } + + It 'Azure.EventHub.Firewall' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.EventHub.Firewall' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult.Length | Should -Be 4; + $ruleResult.TargetName | Should -BeIn 'hubns-B', 'hubns-C', 'hubns-D', 'default-A'; + + $ruleResult[0].Reason | Should -BeExactly "Path properties.publicNetworkAccess: Does not exist." + $ruleResult[1].Reason | Should -BeExactly "Path properties.publicNetworkAccess: Is set to 'Enabled'." + $ruleResult[2].Reason | Should -BeIn "Path properties.publicNetworkAccess: Is set to 'Enabled'.", "Path properties.defaultAction: Is set to 'Allow'." + $ruleResult[3].Reason | Should -BeIn "Path properties.publicNetworkAccess: Is set to 'Enabled'.", "Path properties.defaultAction: Is set to 'Allow'." + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult.Length | Should -Be 5; + $ruleResult.TargetName | Should -BeIn 'hubns-E', 'hubns-F', 'default-B', 'default-C', 'default-D'; } } @@ -92,10 +111,10 @@ Describe 'Azure.EventHub' -Tag 'EventHub' { $outputFile = Join-Path -Path $rootPath -ChildPath out/tests/Resources.EventHub.json; Export-AzRuleTemplateData -TemplateFile (Join-Path -Path $here -ChildPath 'Resources.EventHub.Template.json') -OutputPath $outputFile; $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' WarningAction = 'Ignore' - ErrorAction = 'Stop' + ErrorAction = 'Stop' } $result = Invoke-PSRule @invokeParams -InputPath $outputFile -Outcome All; } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.EventHub.json b/tests/PSRule.Rules.Azure.Tests/Resources.EventHub.json index bcb1611de7..3a840ccc5a 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.EventHub.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.EventHub.json @@ -11,7 +11,6 @@ "ExtensionResourceName": null, "Properties": { "disableLocalAuth": true, - "zoneRedundant": true, "isAutoInflateEnabled": true, "maximumThroughputUnits": 2, "kafkaEnabled": true, @@ -26,8 +25,8 @@ "ResourceType": "Microsoft.EventHub/namespaces", "ExtensionResourceType": null, "Sku": { - "Name": "Standard", - "Tier": "Standard", + "Name": "Basic", + "Tier": "Basic", "Size": null, "Family": null, "Model": null, @@ -115,6 +114,7 @@ "Name": "hubns-C", "ExtensionResourceName": null, "Properties": { + "publicNetworkAccess": "Enabled", "disableLocalAuth": false, "zoneRedundant": true, "isAutoInflateEnabled": true, @@ -141,5 +141,297 @@ }, "Tags": null, "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-D", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-D", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "hubns-D", + "Name": "hubns-D", + "ExtensionResourceName": null, + "Properties": { + "disableLocalAuth": false, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 2, + "kafkaEnabled": true, + "minimumTlsVersion": "1.2", + "provisioningState": "Succeeded", + "createdAt": "2022-01-22T08:53:47.343Z", + "updatedAt": "2022-01-22T08:54:38.617Z", + "serviceBusEndpoint": "https://hubns-D.servicebus.windows.net:443/", + "status": "Active" + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces", + "ResourceType": "Microsoft.EventHub/namespaces", + "ExtensionResourceType": null, + "Sku": { + "Name": "Premium", + "Tier": "Premium", + "Size": null, + "Family": null, + "Model": null, + "Capacity": 1 + }, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "resources": [ + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-D/networkrulesets/default", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-D/networkrulesets/default", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default", + "Name": "default", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + } + ] + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-E", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-E", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "hubns-E", + "Name": "hubns-E", + "ExtensionResourceName": null, + "Properties": { + "disableLocalAuth": false, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 2, + "kafkaEnabled": true, + "minimumTlsVersion": "1.2", + "provisioningState": "Succeeded", + "createdAt": "2022-01-22T08:53:47.343Z", + "updatedAt": "2022-01-22T08:54:38.617Z", + "serviceBusEndpoint": "https://hubns-E.servicebus.windows.net:443/", + "status": "Active" + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces", + "ResourceType": "Microsoft.EventHub/namespaces", + "ExtensionResourceType": null, + "Sku": { + "Name": "Premium", + "Tier": "Premium", + "Size": null, + "Family": null, + "Model": null, + "Capacity": 1 + }, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "resources": [ + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-E/networkrulesets/default", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-E/networkrulesets/default", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default", + "Name": "default", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Disabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + } + ] + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-F", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-F", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "hubns-F", + "Name": "hubns-F", + "ExtensionResourceName": null, + "Properties": { + "disableLocalAuth": false, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 2, + "kafkaEnabled": true, + "minimumTlsVersion": "1.2", + "provisioningState": "Succeeded", + "createdAt": "2022-01-22T08:53:47.343Z", + "updatedAt": "2022-01-22T08:54:38.617Z", + "serviceBusEndpoint": "https://hubns-F.servicebus.windows.net:443/", + "status": "Active" + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces", + "ResourceType": "Microsoft.EventHub/namespaces", + "ExtensionResourceType": null, + "Sku": { + "Name": "Premium", + "Tier": "Premium", + "Size": null, + "Family": null, + "Model": null, + "Capacity": 1 + }, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "resources": [ + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-F/networkrulesets/default", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-F/networkrulesets/default", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default", + "Name": "default", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + } + ] + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-G/networkrulesets/default-A", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-G/networkrulesets/default-A", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default-A", + "Name": "default-A", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-H/networkrulesets/default-B", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-H/networkrulesets/default-B", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default-B", + "Name": "default-B", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Disabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-I/networkrulesets/default-C", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-I/networkrulesets/default-C", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default-C", + "Name": "default-C", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" + }, + { + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-J/networkrulesets/default-C", + "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/hubns-J/networkrulesets/default-C", + "Identity": null, + "Kind": null, + "Location": "East US", + "ManagedBy": null, + "ResourceName": "default-D", + "Name": "default-D", + "ExtensionResourceName": null, + "Properties": { + "publicNetworkAccess": "Disabled", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [], + "trustedServiceAccessEnabled": false + }, + "ResourceGroupName": "test-rg", + "Type": "Microsoft.EventHub/namespaces/networkRuleSets", + "ResourceType": "Microsoft.EventHub/namespaces/networkRuleSets", + "ExtensionResourceType": null, + "Sku": null, + "Tags": null, + "SubscriptionId": "00000000-0000-0000-0000-000000000000" } ]