Assess your Azure network security posture in one click. Connect via Entra ID, scan across subscriptions, get a grade (A–F), and fix what matters — all inside VS Code.
You can't see your Azure network security posture without clicking through 50 portal blades. Open SSH ports, missing NSGs, permissive firewall rules, and no DDoS protection sit undetected until an incident.
This extension connects to your Azure tenant, scans your live infrastructure, and tells you:
- What's wrong — 26 security checks aligned to Microsoft Zero Trust
- How bad it is — posture grade A–F with severity counts
- How to fix it — one-line remediation + Microsoft Learn link per finding
- Who to share it with — export to Excel, HTML, Markdown, or JSON
Also analyzes Bicep/ARM templates offline for pre-deployment checks.
Ctrl+Shift+P→ "Assess Security Posture"- Sign in with your Azure (Entra ID) credentials
- Select subscriptions to scan
- Review your posture grade and findings
- Click 📊 Export Report for Excel/HTML/Markdown
- Open a folder with
.bicepor.jsonARM templates Ctrl+Shift+P→ "Analyze Bicep/ARM Templates"- Review findings in the sidebar and inline squiggles
| # | Severity | Check | Fix |
|---|---|---|---|
| 001 | 🔴 Critical | SSH open to internet | Azure Bastion |
| 002 | 🔴 Critical | RDP open to internet | JIT Access |
| 003 | 🟠 High | Any-to-any allow | Filter traffic |
| 004 | 🟡 Warning | No deny-all rule | Default rules |
| 005 | 🟠 High | Permissive source 0.0.0.0/0 | Service Tags |
| 006 | 🟠 High | Permissive outbound | Segmentation |
| 007 | 🟠 High | Subnet without NSG | Manage NSGs |
| 008 | 🟡 Warning | Wide port range | Best practices |
| 009 | 🟡 Warning | Catch-all allow at low priority | JIT access |
| 010 | 🟠 High | Firewall threat intel off | Threat intel |
| 011 | 🔵 Info | No flow logs | Traffic Analytics |
| 012 | 🔵 Info | Hardcoded IPs | Service Tags |
| 013 | 🔵 Info | Overlapping rules | Rule evaluation |
| 014 | 🟡 Warning | Default route to internet | UDR overview |
| 015 | 🟠 High | VNet without DDoS | DDoS Protection |
| 016 | 🟡 Warning | No Bastion subnet | Azure Bastion |
| 017 | 🟡 Warning | PE without DNS zone | PE DNS |
| 018 | 🟠 High | App Gateway without WAF | WAF overview |
| 019 | 🟡 Warning | WAF in Detection only | WAF modes |
| 020 | 🟠 High | TLS below 1.2 | TLS policy |
| 021 | 🟡 Warning | Subnet bypasses firewall | Forced tunneling |
| 022 | 🟠 High | VPN Gateway Basic SKU | Gateway SKUs |
| 023 | 🟡 Warning | Policy-based VPN (legacy) | VPN settings |
| 024 | 🔵 Info | IPs instead of ASGs | ASGs |
| 025 | 🔵 Info | No forced tunnel to firewall | Forced tunneling |
| 026 | 🔵 Info | Public IP no DDoS | DDoS overview |
| Command | What It Does |
|---|---|
| Assess Security Posture | Connect to Azure → scan → grade → findings |
| Connect to Azure (Entra ID) | Sign in and list subscriptions |
| Visualize Live Topology | Draw your deployed network with connections |
| Export Security Report | CSV, HTML, Markdown, or JSON |
| Analyze Bicep/ARM Templates | Scan local files (no Azure needed) |
| Show Effective Rules | View sorted NSG rules for any security group |
All commands: Ctrl+Shift+P → type "Azure NetSec"
VNets · Subnets · NSGs · Route Tables · Private Endpoints · Azure Firewalls · Application Gateways · Bastion Hosts · VPN Gateways · VNet Peerings
| Format | Use Case |
|---|---|
| CSV | Opens in Excel — sort, filter, pivot for audit |
| HTML | Visual report — print to PDF via Ctrl+P |
| Markdown | Add to PRs, wikis, Git repos |
| JSON | CI/CD pipelines, automation |
| Setting | Default | Description |
|---|---|---|
azureNetSec.severityThreshold |
warning |
Minimum severity to show |
azureNetSec.autoAnalyzeOnSave |
true |
Re-analyze Bicep/ARM on save |
azureNetSec.reportFormat |
html |
Default export format |
- VS Code 1.85+
- For live Azure: An Azure account with Reader role on target subscriptions
- For Bicep/ARM: No Azure account needed — works offline
- Microsoft Security Benchmark — Network Security
- Azure Zero Trust Networking
- Azure Network Security Best Practices
- Well-Architected Framework — Security
- Cloud Adoption Framework — Network Segmentation
See CONTRIBUTING.md.
MIT © KimVaddi