Executive Summary
We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments.
The risk is present in three scenarios:
- Accidental - internal: A network administrator deploys Private Endpoints to improve network security within an Azure environment.
- Accidental - vendor: A third-party vendor deploys Private Endpoints as part of its solution, for example to enable resource scanning by a security product.
- Malicious - attacker: A threat actor who gained access to an Azure environment intentionally deploys Private Endpoints as part of a DoS attack.
Our research indicates that over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. In most environments, at least one resource in each of the following services is susceptible:
- Key Vault
- CosmosDB
- Azure Container Registry (ACR)
- Function Apps
- OpenAI accounts
This issue has the potential to affect organizations in multiple ways. For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail. In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.
Microsoft provides fallback to internet advice that partially addresses this and other known issues associated with Private Endpoints.
We discuss these issues, provide potential solutions and suggest ways that defenders can scan environments for resources that are susceptible to DoS attacks.
Palo Alto Networks customers are better protected from the threats discussed in this article through the following products:
Unit 42 Cloud Security Assessment is a strategic evaluation service that reviews your organization’s cloud infrastructure to identify misconfigurations and security gaps, enabling teams to strengthen their posture against cloud-based threats.