-
Notifications
You must be signed in to change notification settings - Fork 0
Network Effective
network-effective is the combined network view that tries to show which assets are probably most
reachable after visible Azure network layers are considered together.
Use it when you need a joined network picture instead of reasoning about endpoints, NICs, and inbound rules in isolation.
- Which assets are probably most reachable after visible Azure network layers are combined?
- Which reachable-looking asset deserves follow-up first?
- Which network story is strongest without over-claiming certainty?
azurefox network-effective --output tableFor saved structured output:
azurefox network-effective --output json| asset | endpoint | priority | internet ports | narrower ports |
|---|---|---|---|---|
vm-web-01 |
52.160.10.20 |
high |
TCP/22 |
TCP/443, TCP/8080 |
- when you want the combined network picture instead of manual stitching
- after
endpoints,nics, ornetwork-portssuggest several possible exposure paths - when you need a more honest reachability ranking than any one source table can provide
- assets whose combined visible network story is strongest
- externally relevant endpoints and public-IP-linked placement
- matching or permissive inbound rule posture
- clear explanation of what evidence raised the asset and where confidence is limited
Single network clues are easy to over-read.
A scary-looking rule may matter less once the broader network picture is considered, and a quiet
asset may matter more once several visible layers line up. network-effective is useful because it
helps you reason about that combined picture without pretending AzureFox has certainty it does not
have.
- the assets with the clearest combined ingress story
- endpoint, NIC, and inbound-rule evidence that lines up cleanly
- explicit confidence or limitation cues
- the workloads that become priority once several network layers point the same way
- If you see
effective_exposure=highwithinternet_exposed_ports, go next to Network-Ports because it shows the exact inbound rule evidence behind that exposure ranking. - If the exposed asset also carries identity context, go next to Managed-Identities because it answers whether that reachable asset is also an Azure token path.
- If the exposed asset is a joined workload you want to prioritize against peers, go next to
workloadsbecause it shows the broader workload and identity story behind the reachable asset.
- Use this command to choose the first network path worth validating, not to declare final proof.
- Pair its ranking with the underlying endpoint and rule evidence before making stronger claims.
- Treat clear limitation cues as part of the result, not an inconvenience to ignore.
network-effective is a routing and synthesis command.
It should combine visible network evidence into a more usable priority view. It is not real listener proof or certainty theater.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)