Network Exposure

Network exposure is the level of accessibility of the asset from the public domain. CloudGuard considers the network exposure of your assets and defines each of them as:

  • Public - Accessible from the Internet.

  • Partially public - Accessible from specific addresses on the Internet.

  • Private - Confirmed as having no exposure.

  • Unknown - CloudGuard cannot determine the asset exposure based on the available data.

Supported Asset Types

CloudGuard analyzes these asset types to calculate Network Exposure:

Asset Type

Supported Statuses

Assets Used for Calculation

 

EC2Closed Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. instance

  • Public

  • Partially public

  • Unknown

  • Private

 

ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. service

  • Public

  • Partially public

  • Unknown

  • Private

  • Subnet

  • VPC

  • Route Table

  • NACL

  • Security Group

  • Load Balancers (Network / Application)

  • Target Group

 

Lambda

  • Public

  • Partially Public

  • Unknown

  • API Gateway V1/2

  • Application Load Balancer

  • Security Group

 

RDSClosed Relational Database Service (RDS) - A web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

  • Public

  • Partially public

  • Unknown

  • Private

  • Subnet

  • VPC

  • Route Table

  • NACL

  • Security Group

 

EKSClosed Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. Cluster

  • Public

  • Partially public

  • Private

  • Cluster endpoint

  • CIDR

Asset Type

Supported Statuses

Assets Used for Calculation

 

Virtual Machine

  • Public

  • Partially public

  • Unknown

  • Subnet

  • Network Security Group

  • Application Security Group

  • Application Gateway

  • Public IP Address

  • NIC

  • Load Balancers

 

Storage account*

  • Public

  • Partially public

  • Unknown

  • Private

For partially public access:

  • Selected Virtual Networks (VNet)

  • Selected IP addresses

 

WebApp

  • Public

  • Partially public

  • Private

  • Unknown

  • WebApp Access Restrictions

  • Application Gateway

  • Subnet

  • Network Security Group

 

FunctionApp

  • Public

  • Partially public

  • Private

  • Unknown

  • FunctionApp Access Restrictions

  • Application Gateway

  • Subnet

  • Network Security Group

  • Network Triggers

  • Functions Authorization Level

 

SQL Server

  • Public

  • Partially public

  • Private

  • Unknown

  • SQL Server Public Access

  • SQL Server Firewall Rules

Storage Blob ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling.

  • Public

  • Partially public

  • Private

  • Unknown

  • Storage Account Networking

  • Storage Account Blob Anonymous Access

  • Blob Container Anonymous Access Level

Redis Cache

  • Public

  • Partially public

  • Private

  • Unknown

  • Redis Cache Public Endpoint and Firewall Rules

* When you configure AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. storage accounts networking, you select one of these options for public network access:

  • Enable from all networks - The storage account can be accessed from any network or IP address on the public Internet.

  • Enable from selected virtual networks and IP addresses - The storage can be accessed from the selected IP addresses and VNet.

  • Disable and use private access (Private endpoint connections) - The storage cannot be accessed from a public endpoint.

Asset Type

Supported Statuses

Assets Used for Calculation

 

VMInstance

  • Public

  • Partially Public

  • Unknown

  • NIC

  • Effective Firewall Rules

  • Effective Firewall Policies