Azure Network Security Visualizer

Assess your Azure network security posture in one click. Connect via Entra ID, scan across subscriptions, get a grade (A–F), and fix what matters — all inside VS Code.

The Problem

You can't see your Azure network security posture without clicking through 50 portal blades. Open SSH ports, missing NSGs, permissive firewall rules, and no DDoS protection sit undetected until an incident.

The Solution

This extension connects to your Azure tenant, scans your live infrastructure, and tells you:

What's wrong — 26 security checks aligned to Microsoft Zero Trust
How bad it is — posture grade A–F with severity counts
How to fix it — one-line remediation + Microsoft Learn link per finding
Who to share it with — export to Excel, HTML, Markdown, or JSON

Also analyzes Bicep/ARM templates offline for pre-deployment checks.

Quick Start

Assess Live Azure (Recommended)

Ctrl+Shift+P → "Assess Security Posture"
Sign in with your Azure (Entra ID) credentials
Select subscriptions to scan
Review your posture grade and findings
Click 📊 Export Report for Excel/HTML/Markdown

Analyze Bicep/ARM Files (No Azure Account Needed)

Open a folder with .bicep or .json ARM templates
Ctrl+Shift+P → "Analyze Bicep/ARM Templates"
Review findings in the sidebar and inline squiggles

What It Checks (26 Rules)

#	Severity	Check	Fix
001	🔴 Critical	SSH open to internet	Azure Bastion
002	🔴 Critical	RDP open to internet	JIT Access
003	🟠 High	Any-to-any allow	Filter traffic
004	🟡 Warning	No deny-all rule	Default rules
005	🟠 High	Permissive source 0.0.0.0/0	Service Tags
006	🟠 High	Permissive outbound	Segmentation
007	🟠 High	Subnet without NSG	Manage NSGs
008	🟡 Warning	Wide port range	Best practices
009	🟡 Warning	Catch-all allow at low priority	JIT access
010	🟠 High	Firewall threat intel off	Threat intel
011	🔵 Info	No flow logs	Traffic Analytics
012	🔵 Info	Hardcoded IPs	Service Tags
013	🔵 Info	Overlapping rules	Rule evaluation
014	🟡 Warning	Default route to internet	UDR overview
015	🟠 High	VNet without DDoS	DDoS Protection
016	🟡 Warning	No Bastion subnet	Azure Bastion
017	🟡 Warning	PE without DNS zone	PE DNS
018	🟠 High	App Gateway without WAF	WAF overview
019	🟡 Warning	WAF in Detection only	WAF modes
020	🟠 High	TLS below 1.2	TLS policy
021	🟡 Warning	Subnet bypasses firewall	Forced tunneling
022	🟠 High	VPN Gateway Basic SKU	Gateway SKUs
023	🟡 Warning	Policy-based VPN (legacy)	VPN settings
024	🔵 Info	IPs instead of ASGs	ASGs
025	🔵 Info	No forced tunnel to firewall	Forced tunneling
026	🔵 Info	Public IP no DDoS	DDoS overview

Commands

Command	What It Does
Assess Security Posture	Connect to Azure → scan → grade → findings
Connect to Azure (Entra ID)	Sign in and list subscriptions
Visualize Live Topology	Draw your deployed network with connections
Export Security Report	CSV, HTML, Markdown, or JSON
Analyze Bicep/ARM Templates	Scan local files (no Azure needed)
Show Effective Rules	View sorted NSG rules for any security group

All commands: Ctrl+Shift+P → type "Azure NetSec"

Resources Scanned

VNets · Subnets · NSGs · Route Tables · Private Endpoints · Azure Firewalls · Application Gateways · Bastion Hosts · VPN Gateways · VNet Peerings

Export Formats

Format	Use Case
CSV	Opens in Excel — sort, filter, pivot for audit
HTML	Visual report — print to PDF via Ctrl+P
Markdown	Add to PRs, wikis, Git repos
JSON	CI/CD pipelines, automation

Settings

Setting	Default	Description
`azureNetSec.severityThreshold`	`warning`	Minimum severity to show
`azureNetSec.autoAnalyzeOnSave`	`true`	Re-analyze Bicep/ARM on save
`azureNetSec.reportFormat`	`html`	Default export format

Requirements

VS Code 1.85+
For live Azure: An Azure account with Reader role on target subscriptions
For Bicep/ARM: No Azure account needed — works offline

Based On

Contributing

See CONTRIBUTING.md.

Azure Network Security Visualizer

Kim Vaddi

Azure Network Security Visualizer

The Problem

The Solution

Quick Start

Assess Live Azure (Recommended)

Analyze Bicep/ARM Files (No Azure Account Needed)

What It Checks (26 Rules)

Commands

Resources Scanned

Export Formats

Settings

Requirements

Based On

Contributing

License