Network Exposure

Network exposure is the level of accessibility of the asset from the public domain. CloudGuard considers the network exposure of your assets and defines each of them as:

  • Public - Accessible from the Internet.

  • Partially public - Accessible from specific addresses on the Internet.

  • Private - Confirmed as having no exposure.

  • Unknown - CloudGuard cannot determine the asset exposure based on the available data.

Supported Asset Types

CloudGuard analyzes these asset types to calculate Network Exposure:

Asset Type

Supported Statuses

Assets Used for Calculation

 

EC2Closed Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. instance

  • Public

  • Partially public

  • Unknown

  • Private

 

ECSClosed Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. service

  • Public

  • Partially public

  • Unknown

  • Private

  • Subnet

  • VPC

  • Route Table

  • NACL

  • Security Group

  • Load Balancers (Network / Application)

  • Target Group

 

Lambda

  • Public

  • Partially Public

  • Unknown

  • API Gateway V1/2

  • Application Load Balancer

  • Security Group

 

RDSClosed Relational Database Service (RDS) - A web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

  • Public

  • Partially public

  • Unknown

  • Private

  • Subnet

  • VPC

  • Route Table

  • NACL

  • Security Group

 

EKSClosed Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. Cluster

  • Public

  • Partially public

  • Private

  • Cluster endpoint

  • CIDR

Asset Type

Supported Statuses

Assets Used for Calculation

 

Virtual Machine

  • Public

  • Partially public

  • Unknown

  • Subnet

  • Network Security Group

  • Application Security Group

  • Application Gateway

  • Public IP Address

  • NIC

  • Load Balancers

 

Storage account*

  • Public

  • Partially public

  • Unknown

  • Private

For partially public access:

  • Selected Virtual Networks (VNet)

  • Selected IP addresses

 

WebApp

  • Public

  • Partially public

  • Private

  • Unknown

  • WebApp Access Restrictions

  • Application Gateway

  • Subnet

  • Network Security Group

 

FunctionApp

  • Public

  • Partially public

  • Private

  • Unknown

  • FunctionApp Access Restrictions

  • Application Gateway

  • Subnet

  • Network Security Group

  • Network Triggers

  • Functions Authorization Level

 

SQL Server

  • Public

  • Partially public

  • Private

  • Unknown

  • SQL Server Public Access

  • SQL Server Firewall Rules

* When you configure AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. storage accounts networking, you select one of these options for public network access:

  • Enable from all networks - The storage account can be accessed from any network or IP address on the public Internet.

  • Enable from selected virtual networks and IP addresses - The storage can be accessed from the selected IP addresses and VNet.

  • Disable and use private access (Private endpoint connections) - The storage cannot be accessed from a public endpoint.

Asset Type

Supported Statuses

Assets Used for Calculation

 

VMInstance

  • Public

  • Partially Public

  • Unknown

  • NIC

  • Effective Firewall Rules

  • Effective Firewall Policies