services / Azure / Virtual network gateway

An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity.

A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.


Microsoft.​Network/​virtualNetworkGateways/​generateVpnProfile/​action

Generates a P2S VPN profile package with connection config and embedded credential material, enabling an attacker to establish a tunnel into the private network.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog