Discover and Assess Public Network Endpoints/Resources
Implementation Effort: Medium
User Impact: Low
Overview
Comprehensively inventory and assess all externally facing network endpoints—such as public IP addresses, load balancers and Application Gateways by leveraging Azure Resource Graph for high-scale, cross-subscription queries or Defender for Cloud’s asset discovery and exposure assessment. Begin by running targeted Resource Graph queries (e.g., filtering on Microsoft.Network/publicIPAddresses
and Microsoft.Network/loadBalancers
) to catalogue every public endpoint. Then use Defender for Cloud’s asset inventory and “Expose to Internet” recommendations to surface unmanaged or high-risk resources, assign risk scores, and prioritize remediation. This unified view not only ensures that you understand your full external attack surface but also feeds directly into your broader Zero Trust validation and monitoring workflows.