Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💡 Feature Request - Recommendations for deprecation of AzureUpdateDelivery service tag #193

Open
tksh164 opened this issue Jun 5, 2024 · 1 comment
Open

💡 Feature Request - Recommendations for deprecation of AzureUpdateDelivery service tag #193

tksh164 opened this issue Jun 5, 2024 · 1 comment
Labels
Enhancement 🆕 New feature or request

Comments

@tksh164
Copy link
Member

tksh164 commented Jun 5, 2024
edited
Loading

Describe the solution you'd like

Azure Update Delivery service tag is being deprecated. So, we should detect it if customers are using that service tag.

  • Changes coming to the Azure Update Delivery service tag

    Azure Update Delivery service tag is being deprecated starting July 1, 2024. If your Azure Firewall is configured to receive Windows updates using this service tag, you'll need to migrate away from the service tag and use Azure Firewall application rules instead.

  • Available service tags

    AzureUpdateDelivery
    The Azure Update Delivery service tag used for accessing Windows Updates is marked for deprecation and in the future it will be decommissioned.

The above deprecation will affect the following resources at least:

  • Network security groups
  • Route tables
  • Azure Firewall (classic rules)
  • Azure Firewall policies

Describe alternatives you've considered

n/a

Additional context

n/a
@kzk839
Copy link

kzk839 commented Jun 5, 2024
edited
Loading

I created these KQLs to find resources which use AzureUpdateDelivery or AzureFrontDoor.FirstpPrty tags.
However, rules in Azure Firewall policy could not be searched in KQL.

for NSGs

resources
| where type =~ "Microsoft.Network/NetworkSecurityGroups"
| mv-expand rule = properties.securityRules
| extend source = rule.properties.sourceAddressPrefix
| extend destination = rule.properties.destinationAddressPrefix
| extend ruleName = rule.name
| where source == "AzureUpdateDelivery" or destination == "AzureUpdateDelivery" or source == "AzureFrontDoor.FirstParty" or destination == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, source, destination

for Route Tables

resources
| where type =~ "Microsoft.Network/routetables"
| mv-expand route = properties.routes
| extend routeName = route.name
| extend addressPrefix = route.properties.addressPrefix
| where addressPrefix == "AzureUpdateDelivery" or addressPrefix  == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, routeName, addressPrefix

for Azure Firewall (classic rules)

resources
| where type =~ "Microsoft.Network/AzureFirewalls"
| mv-expand nwRules = properties.networkRuleCollections
| mv-expand nwRule = nwRules.properties.rules
| extend ruleName = nwRule.name
| extend sourceAddresses = nwRule.sourceAddresses
| extend destinationAddresses = nwRule.destinationAddresses
| where sourceAddresses contains "AzureUpdateDelivery" or destinationAddresses contains "AzureUpdateDelivery" or sourceAddresses contains "AzureFrontDoor.FirstParty" or destinationAddresses contains "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, sourceAddresses, destinationAddresses

@ejhenry ejhenry added the Enhancement 🆕 New feature or request label Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement 🆕 New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tksh164 @ejhenry @kzk839