Azure Zero Trust Network Visualizer & Analyzer
Visualize Azure VNet topology, analyze NSG/Firewall rules, detect Zero Trust segmentation gaps, and generate remediation rules — directly in VS Code.
Features
Network Topology Visualization
- Interactive topology map — visualizes VNets, subnets, peerings, firewalls, and private endpoints as an interactive network graph
- Automatic classification — detects hub-spoke, mesh, flat, or isolated topologies
- Color-coded nodes — red for critical issues, amber for warnings, green for healthy resources
- Security finding badges — each node shows its finding count at a glance
NSG Rule Effectiveness Matrix
- Port exposure table — shows which critical ports (SSH, RDP, SQL, Redis, etc.) are allowed or denied per NSG
- Any-source detection — flags rules allowing traffic from
0.0.0.0/0 (★ ANY)
- Visual heat-map — red for allowed, green for denied, across all critical ports
Azure Firewall Policy Analyzer
- Threat intelligence mode check — flags firewalls with threat intel disabled
- Permissive rule detection — identifies rules with wildcard source/destination
- Rule collection analysis — counts and evaluates NAT, network, and application rule collections
Private Endpoint Connectivity Map
- Endpoint inventory — shows all private endpoints with their service type and connection state
- Connectivity state — highlights disconnected or pending private endpoints
- Subnet mapping — traces each endpoint to its owning VNet/subnet
Zero Trust Segmentation Gap Detection
- Flat network detection — flags architectures without segmentation
- Missing NSG analysis — identifies subnets without Network Security Groups
- Insecure peering — detects peerings that allow transit without firewall inspection
- Missing route tables — flags subnets without user-defined routes
- Service endpoint gaps — identifies subnets missing key service endpoints
- NSG deny rules — generates inbound deny rules for exposed management ports
- Bicep IaC snippets — produces infrastructure-as-code for each remediation
- Azure CLI commands — one-click CLI scripts to apply fixes
- Impact assessment — each remediation rated as low, medium, or high impact
Security Posture Scoring
- Five category scores: Network Segmentation (25), NSG Configuration (25), Firewall Protection (20), Private Connectivity (15), Monitoring & Logging (15)
- Overall grade: A through F based on composite percentage
- Status bar indicator: live posture grade with finding counts in the VS Code status bar
Requirements
- VS Code 1.85.0 or later
- Azure subscription with Reader access to network resources
- Azure CLI or environment with Azure credentials configured (supports
DefaultAzureCredential)
- Required RBAC roles:
Reader on subscription or resource groups. For remediation application: Network Contributor
Getting Started
- Install the extension
- Open the Command Palette (
Ctrl+Shift+P) and run Zero Trust: Connect to Azure Subscription
- Enter your Azure Subscription ID (or configure it in settings)
- The extension fetches your network topology and runs Zero Trust analysis automatically
- Explore the Network Topology and Security Findings panels in the Activity Bar sidebar
Commands
| Command |
Description |
Zero Trust: Connect to Azure Subscription |
Authenticate and connect to your Azure subscription |
Zero Trust: Refresh Network Topology |
Re-fetch all network resources and re-run analysis |
Zero Trust: View Topology Map |
Open the interactive network topology webview |
Zero Trust: Analyze NSG Rules |
Open the analysis dashboard with NSG effectiveness matrix |
Zero Trust: Analyze Firewall Policies |
Show firewall-specific findings |
Zero Trust: Detect Segmentation Gaps |
Show segmentation and peering findings |
Zero Trust: Generate Remediation Rules |
Export remediation as Bicep, CLI, or JSON |
Zero Trust: View Private Endpoint Map |
View private endpoint connectivity in topology map |
Zero Trust: Export Security Report |
Save full posture report as JSON |
Zero Trust: Disconnect Subscription |
Clear all data and disconnect |
Extension Settings
| Setting |
Type |
Default |
Description |
zeroTrust.subscriptionId |
string |
"" |
Azure subscription ID to analyze |
zeroTrust.tenantId |
string |
"" |
Azure AD tenant ID (uses default if empty) |
zeroTrust.resourceGroups |
string[] |
[] |
Resource groups to scope (empty = all) |
zeroTrust.enableAutoRefresh |
boolean |
false |
Auto-refresh topology on interval |
zeroTrust.refreshIntervalMinutes |
number |
30 |
Auto-refresh interval in minutes |
zeroTrust.maxOpenPorts |
number |
5 |
Max open inbound ports before flagging |
zeroTrust.flagAnySourceRules |
boolean |
true |
Flag NSG rules allowing any source |
zeroTrust.criticalPorts |
number[] |
[22, 3389, 1433, ...] |
Ports considered critical if exposed |
Architecture
src/
├── extension.ts # Entry point — command registration, lifecycle
├── common/
│ ├── types.ts # All interfaces: VNet, NSG, Firewall, Findings, Posture
│ ├── azure-network-client.ts # ARM REST API client for network resources
│ ├── zero-trust-analyzer.ts # Analysis engine with posture scoring
│ └── remediation-generator.ts # NSG/Bicep/CLI remediation output
└── views/
├── tree-providers.ts # Sidebar tree views (topology + findings)
├── topology-panel.ts # Interactive topology map webview
├── analysis-dashboard.ts # Posture dashboard with NSG matrix
└── status-bar-manager.ts # Status bar posture indicator
Security Findings Categories
| Category |
Severity |
Description |
open-management-ports |
Critical |
SSH/RDP exposed to Internet |
any-source-allowed |
High |
NSG rules allowing traffic from any source |
deny-all-missing |
High |
No default deny-all inbound rule |
no-nsg-attached |
High |
Subnet without a Network Security Group |
no-firewall-inspection |
High |
No Azure Firewall in analyzed scope |
overly-permissive-rule |
Medium |
NSG rules with very broad port/address ranges |
flat-network |
Medium |
All VNets in flat topology without segmentation |
insecure-peering |
Medium |
Peering allows transit without firewall |
no-route-table |
Medium |
Subnet without user-defined routes |
missing-flow-logs |
Medium |
NSG flow logs not enabled |
exposed-database-port |
High |
Database ports open to Internet |
missing-service-endpoint |
Low |
Subnet missing service endpoints for key services |
missing-private-endpoint |
Info |
Resources accessible without private endpoints |
The JSON report includes:
{
"generatedAt": "2024-01-15T12:00:00.000Z",
"overallGrade": "B",
"overallScore": 78,
"summary": "3 high-severity finding(s) detected",
"categoryScores": [...],
"topologyType": "hub-spoke",
"vnetCount": 4,
"nsgCount": 8,
"firewallCount": 1,
"privateEndpointCount": 12,
"findings": [...],
"remediations": [...]
}
License
MIT
| |
