services / Azure / Virtual network taps

A VirtualNetworkTap is a traffic-mirroring (terminal access point) resource that continuously copies a source VM network interface's live traffic, encapsulated via VXLAN, to a collector destination (a VM NIC or internal load balancer) in the same or a peered VNet.

Touches the in-flight network traffic of production VMs; misuse enables silent interception of potentially sensitive data.


Microsoft.​Network/​virtualNetworkTaps/​Join/​action

Joining a NIC to a tap causes that interface's live traffic to be mirrored to the tap's collector, enabling silent, continuous interception/exfiltration of in-flight data and ongoing centralized collection; the action is flagged Not Alertable, making it stealthy.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog