Network Resources

Network resources are available in InsightCloudSec as the fourth section (tab) under the Resource landing page. These resources are related to network functionality and include resources like load balancers, route tables, and internet gateways.

Network resources are displayed alphabetically using the InsightCloudSec normalized terminology. Hovering over an individual resource provides the CSP-specific terminology with the associated logo to help users confirm the displayed information. For example in InsightCloudSec a Network refers to Amazon "VPC", Azure's "Virtual Network" and Google's "VPC", etc.

For a detailed reference of this normalized terminology check out our Resource Terminology.

Some attributes may not be included in these lists

A large number of Resource Attributes are offered for the resources outlined here. Because we are continuously expanding our supported resources the attributes and details included here can not be guaranteed to include every resource or every attribute.

If you need information about the attributes of a particular resource we are happy to help get those details for you - reach out to us through the Customer Support Portal with any questions!

Access Lists

Access List

Access Lists are used to protect any ingress/egress traffic to cloud resources (e.g. Security Groups/NACLs).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
access_list_idThe provider ID for the access list
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region in which the access list resides
access_list_typeThe type of the access list
nameThe name of the access list
parent_resource_idThe resource ID of the parent network
creation_dateThe date the access list was created
descriptionThe description of the Access List
default_aclBoolean value denoting if the access list is provider default
association_countThe number of resources the resource access list is associated with
flow_logs_enabledDenotes if the access list has flow logs enabled (Azure only)
namespace_idThe provider-specific namespace ID
relationshipsThe list of resources associated with the access list
network_tagsA list of network tags that this firewall is associated with (GCP only)

Access List Flow Logs

Access List Flow Logs (Azure NSG Flow Logs) allow users to log information about IP traffic flowing through a Network Security Group (e.g. Azure NSG). Data that is logged is stored and can be exported.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region in which the access list resides
nameThe name of the Access List Flow Log
namespace_idThe fully qualified ID of the resource, including the resource name and resource type
provisioning_stateThe provisioning state (e.g., succeeded) of the Access List Flow Log
target_resource_idThe Access List Flow Log target resource identifier
storage_idThe Access List Flow Log storage identifier
retention_enabledBoolean value denoting if retention is enabled
retention_timeThe Access List Flow Log retention time (in days)
traffic_analytics_enabledBoolean value denoting if traffic analytics is enabled
traffic_analytics_intervalTraffic interval in minutes which specifies how frequently TA service should do flow analytics

Access List Rule

Access List Rules are Ingress/Egress traffic rules for Security Groups/NACLs. They contain basic information about a single rule entry in an access list resource.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
rule_idThe provider ID of the access list rule
organization_service_idThe ID of the parent organization service (cloud)
parent_resource_idThe resource ID of the parent service access list rule
access_list_nameThe name of the parent access list
region_nameThe region the rule resides in
nameThe name of the Rule
rule_actionDenotes if traffic is allowed or denied
directionThe direction of traffic (ingress or egress)
priorityThe rule priority, applies to type network ACLs only
ip_protocolThe protocol to which this rule applies (TCP, UDP, ICMP)
source_from_portThe Source Port Range :The start of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
source_to_portThe Source Port Range : The end of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
destination_from_portThe destination Port Range : The start of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
destination_to_portThe destination Port Range: The end of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
icmp_codeThe number denoting ICMP code
icmp_typeThe number denoting ICMP type
source_networkThe source network ID
source_network_from_ipThe start of IP range associated with source network.
source_network_to_ipThe end of IP range associated with source network
destination_networkDenotes the type of network
destination_network_from_ipThe start of the IP range associated with destination network
destination_network_to_ipThe end of the IP range associated with destination network.
is_temporaryThe bool for true/false.
schedule_data_create_ruleDenotes association of a create rule.
schedule_data_delete_ruleDenotes association of a delete rule
scheduled_event_id_create_ruleThe event id of a create rule execution
scheduled_event_id_delete_ruleThe event id of a delete rule execution
Applications

Application Gateway

An Application Gateway is an application program that runs on a firewall system between two networks, for example an AWS API Gateway or Azure API Management Service.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
api_idThe API identifier
nameThe name of the API
descriptionThe description of the resource
versionThe version of the application gateway
creation_dateThe date the API was created
api_key_sourceThe API key source
endpoint_configurationThe endpoint configuration of the API
policyThe policy associated with the application gateway
trusted_accountsThe list of trusted accounts
minimum_compression_sizeMinimum compression size (in bytes) for the application gateway
protocolThe protocol to be used with the application gateway
relationshipsList of resources associated with the application gateway
custom_domainsCustom domains configured for the application gateway
public_ip_addressesA list of public IP addresses associated with the application gateway
full_tls_10Indicates if TLS 1.0 is enabled for an API resource
full_tls_11Indicates if TLS 1.1 is enabled for an API resource
full_tls_12Indicates if TLS 1.2 is enabled for an API resource
full_ssl_30Indicates if SSL 3.0 is enabled for an API resource

Application Gateway Domain

An application gateway domain is a domain name typically designated and configured for use with an API Gateway. An example of this type of resource is AWS API Gateway Domain.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region in which the application gateway domain resides
domain_nameThe domain name of the application gateway domain
certificate_arnThe certificate arn for the application gateway domain
endpoint_typeThe endpoint type (e.g., 'edge', 'regional') for the application gateway domain
security_policyThe security policy for the application gateway domain (e.g., 'TLS_1_0', 'TLS_1_2')
versionThe version of the application gateway domain (e.g., 'v2')

Application Key

Application Keys or AWS API Gateway keys are alphanumeric string values that you distribute to application developer customers to grant access to your API.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
key_idThe provider id for the encryption key
nameThe name of the REST API Key
customer_idThe customer id of the API key
descriptionThe description of the resource
enabledDenotes whether or not the secret is enabled
creation_dateThe time the REST API Key was created
last_updatedThe time the REST API Key was last updated

Application Stage

The Application Stage is a resource (often used in CloudFormation templates) to create a stage for a deployment.

AttributeDescription
resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
stage_idThe ID of the application stage
parent_resource_idThe ID of the parent resource
nameThe name of the application stage
gateway_nameThe name of the associated gateway
descriptionThe description of the resource
certificate_idThe certificate value
cache_cluster_sizeThe size of the cache data if its enabled
cache_data_encryptedDenotes whether or not cache data is encrypted
access_loggingDenotes the stage logs access requests
tracing_enabledBoolean value to denote if tracing is turned on or off
web_acl_idThe value for the web access control list
creation_dateThe date when resource was created
last_updatedThe date when resource was last updated
arnThe ARN being used with the corresponding resource
throttling_burst_limitThe throttling burst limit of the stage
throttling_rate_limitThe throttling rate limit of the stage
Backend Services

Backend Services

In GCP, a backend service that contains configuration values for Google Cloud Platform load balancing services.

AttributeDescription
resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of the Backend Service
kindThe kind of backend service
storage_container_resource_idThe value for the storage container resource
protocolThe protocol of the backend service
port_nameThe name of the port being used
portThe port number being used
descriptionThe description of the resource
created_timeThe time resource was created
schemeThe backend service scheme
security_policyThe security policy in use
backendsThe JSON of the Backend Service
Bastion Host

Bastion Host

Bastion Hosts are part of a service that allows seamless and secure connection to your virtual machines.

AttributeDescription
resource_idPrimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe identifier of the parent organization service (cloud)
nameThe name of the host
stateThe state of the host
namespace_idThe provider-specific namespace ID for the host
enable_ip_connectDenotes whether IP-based connection is enabled
enable_shareable_linkDenotes whether shareable link is enabled
private_ip_allocation_methodThe private IP allocation method
tierThe tier of the host
Content Delivery Network

Content Delivery Network

Content Delivery Networks is a system of servers that delivers content to users based on geographic location. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe identifier of the parent organization service (cloud)
distribution_idThe provider given of the CDN
domain_nameThe name of the domain being used with by the resource
alternate_domain_namesThe alternate domain names that can be used with resource
delivery_methodThe delivery method of the CDN (web, RMTP, etc)
root_objectThe object you want the CDN to request from your origin
statusThe status of the CDN (inprogress, deployed, etc)
stateThe state of the CDN (enabled, disabled, etc)"
http_versionsThe supported versions of HTTPs
https_requiredBoolean value on if HTTPS is required
ipv6_enabledBoolean value on if IPv6 is enabled in the CDN
last_modifiedThe date of last resource modification
log_bucketThe bucket to store logs in
originsThe location from which you want the CDN to get objects. RMPT only has one origin
origin_access_identitiesUsed to configure origins so that viewers can only access objects through the CDN
origin_info_listJSON list of information about the origin
security_policyThe security policy being used
certificateThe SSL certificate of the CDN
certificate_resource_idThe value for the SSL certificate of the CDN
web_acl_idThe web access lists ID of the CD
price_classThe price class. Costs vary based on performance
commentThe users can leave comments/descriptions on their CDN
arnThe ARN being used with the corresponding resource
loggingBoolean value to denote if logging is enabled or disabled
cookie_loggingThe log denoting if cookies are enabled or disabled
geo_whitelistThe list of whitelisted countries to the CDN
geo_blacklistThe list of blacklisted countries to the CDN
viewer_protocol_policyThe protocol that viewers can use to access the files in the origin
trusted_signersThe list of accounts of active key pairs that can be used to verify signatures of signed URLs and cookies
trusted_key_groupsThe list of key groups that can be used to verify the signatures of signed URLs and cookies
relationshipsList of resources associated with the CDN
cloud_functionsCloud function(s) associated with the CDN
function_body_accessDenotes if a cloud function has request body access
origin_typeDenotes the type of origin attached to the CDN
cdn_policyThe policy associated with the CDN
storage_container_resource_idThe ID for the storage container resource associated with the CDN
backend_service_resource_idThe ID for the backend service resource associated with the CDN
waf_resource_idThe ID for the WAF resource associated with the CDN
default_cache_policy_idThe ID for the default cache policy associated with the CDN
Database Migration Endpoint

Database Migration Endpoint

A Database Migration Endpoint is used to connect to a data store and migrate data from a source endpoint to a target endpoint.

AttributeDescription
resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the endpoint resides
endpoint_idThe ID for the endpoint
endpoint_typeThe type for the endpoint
stateThe state of the endpoint
server_nameThe name of the database instance
engine_nameThe provider-specific name of the database instance engine
engine_display_nameThe display name of the database instance engine
key_resource_idThe resource ID for the encryption key associated with the endpoint
certificate_resource_idThe resource ID for the certificate associated with the endpoint
role_resource_idThe resource ID for the role associated with the endpoint
ssl_modeThe mode, if any, of SSL used by the endpoint
namespace_idThe provider-specific namespace ID for the endpoint
DDOS Protection

DDoS Protection

DDoS Protection is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on your CSP.

resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
protection_idThe value for identifying which unique protection is being used
ref_resource_typeThe resource type identifier
ref_resource_idThe value for the category of protection that is being used
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
arnThe ARN associated with this resource
ref_resource_arnProvider-specific namespace ID of the protected resource
nameThe name of the DDoS Protection resource
enabledBoolean value denoting if resource is enabled or disabled
last_attack_start_timeThe start time of the most recent DDoS attack
last_attack_end_timeThe end time of the most recent DDoS attack
last_attack_typesThe type(s) of DDoS attack used
namespace_idThe provider-specific namespace ID for the DDoS Protection instance
Direct Connect

Direct Connect

Direct Connect is a private connection between environments to reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. (See AWS Direct Connect, Azure Express Route Circuit)

resource_idprimary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idthe ID of the parent organization service (cloud)
region_nameThe name of the region
connection_idThe value used to denote unique connection
nameThe name of the direct connect resource
stateDenotes if the resource is active or inactive
locationThe direct connection file is location
direct_connect_typeThe type of direct connection being used
creation_timestampThe time the direct connection was created
bandwidthThe range of frequencies for the Direct Connect
DNS Zone

DNS Zone

DNS Zones are responsible for housing all zone and record information associated for a particular zone. This resource inherits from Resource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
idThe provider ID of the zone
domainThe domain that the zone controls
commentThe descriptive comment about the zone
private_zoneDenotes whether or not this is a private zone
recordsThe listing of DNS records associated with this zone
networksThe listing of private networks that are associated with this zone
dns_securityThe JSON of the DNS Security policy

class DivvyResource.Resources.dnszone.DnsZone(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

dns_zone

static get_db_class()

get_domain()
Retrieve the domain of the DNS zone.

get_networks()
Retrieve the networks associated with a private zone.

get_private_zone()
Retrieve the value of the private zone boolean.

static get_provider_id_field()

get_resource_name()

static get_resource_name_field()

static get_resource_type()

get_supported_actions()

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

top_level_resource = True

zone_id

Forwarding Rules

Forwarding Rules

Forwarding rules or in the case of Azure, a Load Balancer rule, is used to define how traffic is distributed to the VMs. (See also GCP's Load Balancer Forwarding Rules).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of the Forwarding Rule
load_balancer_resource_idThe load balancer resource identifier
target_proxy_resource_idThe target proxy resource identifier
ip_addressThe unique internet protocol address of the machine
ip_protocolThe ip protocol used
ip_versionThe ip version used
network_tierThe network tier
descriptionThe description of the resource
created_timeThe time port forward rules were created
schemeThe forwarding rule scheme
Global Load Balancer

Global Load Balancer

A global, scalable entry-point that uses a global edge network to create fast, secure, and widely scalable web applications.

AttributeDescription
nameThe name of the global load balancer
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
global_load_balancer_idThe provider ID of the global load balancer
region_nameThe region that the instance resides in
stateThe state of the global load balancer (e.g., Enabled)
all_session_affinity_enabledAn indicator of the enabled status of "all session affinity" of the global load balancer ('0' or '1')
all_health_probes_enabledAn indicator of the enabled status of "all health probes" of the global load balancer ('0' or '1')
only_https_accepted_protocolAn indicator of the enabled status of "only https accepted protocol" of the global load balancer ('0' or '1')
only_https_forwarding_protocolAn indicator of the enabled status of "only https forwarding protocol" of the global load balancer ('0' or '1')
waf_enabledAn indicator of the enabled status of "WAF" of the global load balancer ('0' or '1')
all_load_balancers_enabledAn indicator of the enabled status of "all load balancers" associated with the global load balancer ('0' or '1')
domain_namesThe domain names of the associated frontend endpoints for a global load balancer
ip_address_typeThe IP address type (v4, v6) of the global load balancer
arnThe ARN associated with the global load balancer
enabledDenotes whether the global load balancer is enabled
ip_setsThe IP sets associated to the global load balancer
listenersThe listeners configured for the global load balancer
dns_nameThe DNS name for the global load balancer
creation_timeThe timestamp for when the global load balancer was created
last_updated_timeThe timestamp for when the global load balancer was last updated
flowlogs_enabledDenotes whether flow logs are enabled for the global load balancer
flowlogs_s3_bucketThe S3 bucket where flow logs are stored
flowlogs_s3_prefixThe prefix of the s3 bucket where flow logs are stored
rules_enginesThe names of both rules engine configurations and their individual rules
Internet Gateway

Internet Gateway

Network Gateway resources allow communication between instances in your network and the internet. This resource inherits from Resource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
gateway_idThe unique value denoted for the internet gateway
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of the internet gateway
network_resource_idThe unique value provided for the internet gateway resource id
stateThe state of the spanner
Load Balancer

Load Balancer

Load balancers are used in multi-tier apps to distribute load across a variety of compute instances. This class inherits from TopLevelResource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
load_balancer_idThe provider ID of the load balancer
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the instance resides in
nameThe name of the load balancer
created_timeThe time the resource was created
fqdnThe fully qualified domain name of the load balancer
schemeThe load balancing scheme
arnThe ARN associated with this load balancer
lb_typeThe type of load balancer
attributesThe load balancer attributes
target_countThe number of targets for the load balancer
ssl_policiesThe SSL policies associated with the load balancer
security_group_idsList of IDs for security groups associated with the load balancer
multi_azDenotes whether the load balancer is configured in multiple availability zones
supports_redirectsDenotes whether the load balancer supports redirects
tierThe load balancer tier
waf_enabledDenotes whether WAF is enabled for the load balancer
listener_configConfiguration for the listener associated with the load balancer
ip_address_typeThe type of IP address associated with the load balancer
relationshipsList of resources associated with the load balancer
ssl_protocolsThe SSL protocols associated with the load balancer
waf_modeThe current mode of the Web Application Firewall attached to the Load Balancer

class DivvyResource.Resources.loadbalancer.LoadBalancer(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource

LoadBalancer Operations

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

classmethod filter_query_for_global_search(query, search_string)
Apply the query filters that will restrict a provided query to the provided global search string and return the modified query.
Parameters:
query (sqlalchemy.orm.query) – Original query that includes this resource type
search_string (basestring) – Single string to search for across all important text fields for this resource
Returns: Modified query including filters that match search string
Return type: sqlalchemy.orm.query

get_date_created()
Retrieve the time from the provider that this resource was created (if available).

static get_db_class()

static get_provider_id_field()

static get_resource_type()

get_supported_actions()
Retrieve all the actions which are supported by this resource.

NAT Gateway

NAT Gateway

Enables instances in a private network to forward traffic to the Internet (e.g. AWS Nat Gateway VPC, GCP Cloud NAT, Azure NAT Gateway).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
gateway_idThe service-provided ID for this NAT gateway
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of the NAT gateway
network_resource_idThe resource ID of the network to which this NAT gateway belongs. Not used for some cloud providers
subnet_resource_idThe resource ID of the subntet to which this NAT gateway belongs. Not used for some cloud providers
network_interface_resource_idThe resource id of the network interface to which this nat gateway belongs. Not used for some cloud providers
public_ipThe public-facing internet address for this NAT gateway
private_ipThe internal address for this NAT gateway
stateThe state of this NAT gateway
create_timeThe creation time for this NAT gateway
Network

Network

Logically isolated virtual environment within a Cloud Provider (AWS VPC, Azure Virtual Network, Google VPC, etc.)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
network_idThe provider id of the network
region_nameThe name of the region
nameThe name of network
stateThe state of the network
cidrThe limiting IP address range for the network. Apples to AWS (optional)
prefixThe optional sub-directory to begin with
user_definedThe indicator of whether this network is user defined or default
typeThe network type
sharedDenotes whether or not this is a shared network
default_networkThe specified default network
dhcp_options_idThe DhcpOptions ID, if applicable (AWS Only)
associationsThe list of the resource IDs that are associated

Network Address Group

A Network Address Group provides visibility into defined network address prefixes (AWS Managed Prefix List, Azure IP Group).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of the Network Address Group
group_idThe primary group identifier that takes the form of a prefix followed by numbers and letters
stateThe state of the Network Address Group
addressesThe list of addresses associated with the Network Address Group
customer_managedDenotes whether the Network Address Group is managed by the customer
namespace_idThe ARN associated with the Network Address Group
associationsLists the number of resources associated with the Network Address Group

Network Endpoint

A Network Endpoint endpoint enables you to privately connect your VPC to supported services. In AWS the VPC endpoint services are powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. In Azure, Service endpoints provide the ability to secure Azure service resources to your virtual network by extending VNet identity to the service.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
endpoint_idThe provider ID of the network endpoint
nameThe name of the Network Endpoint
endpoint_typeThe endpoint type of the resource
stateThe ID of the requester VPC
service_nameThe service name that the endpoint connects to
network_idThe CIDR block of the requester VPC
policyThe the IAM access policy of the resource
trusted_accountsThe trusted accounts that can interact with the peer
public_accessDenotes whether the network peer is exposed to the public
owner_idThe ID of the network endpoint owner
creation_dateThe time when network endpoint was created
private_dns_enabledDenotes whether private DNS is supported

Network Endpoint Service

Network Endpoint Services enable you to privately connect your VPC to supported provider services (AWS VPC Endpoint Services, Azure Private Link Service).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
service_idThe ID for the network endpoint service
nameThe local name of the network endpoint service
service_typeThe type of the network endpoint service, e.g., 'interface'
stateThe state of the network endpoint service, e.g., 'available'
service_nameThe full name of the network endpoint service
trusted_accountsThe trusted accounts associated with the network endpoint service
publicly_accessibleAn indicator of the public accessibility of the network endpoint service (''0' or '1')
acceptance_requiredAn indicator of whether or not VPC endpoint connection requests to the service must be accepted by the service owner ('0' or '1')
manages_vpc_endpointsAn indicator of whether the network endpoint service manages VPC endpoints ('0' or '1')
load_balancer_countThe number of load balancers associated with the network endpoint service
availability_zonesA list of availability zones for the network endpoint service, e.g., "us-east-1a"
connectionsA list of key:value pairs identifying the connections for the network endpoint service, e.g., "endpoint_id:<_endpoint ID_>", "connection_state:available"
connections_countThe number of connections associated with the network endpoint service
relationshipsA list of relationships between the Network Endpoint Service and other services

Network Firewall

A managed, cloud-based network-security service that protects network resources. An example of this resource is Azure Network Firewall.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the instance resides
nameThe name of the network firewall resource
firewall_idThe ID of the network firewall resource
stateThe state of the network firewall resource
firewall_typeThe type of the network firewall resource
zonesThe zones associated with the network firewall
threat_intel_modeThe threat intel mode for the network firewall resource
dns_proxy_enabledAn indicator showing whether the DNS proxy is enabled
dns_serversThe DNS servers associated with the network firewall resource
network_resource_idThe ID for the network resource associated with the network firewall resource
subnet_resource_idThe ID for the subnet resource associated with the network firewall resource
management_subnet_resource_idThe ID for the management subnet resource
management_ip_resource_idThe ID for the management IP resource associated with the network firewall resource
namespace_idThe ID os the namespace associated with the network firewall resource
relationshipsThe list of resources associated with the network firewall
policy_arnThe ARN for the policy associated with the network firewall
delete_protectionDenotes if the network firewall has delete protection enabled
subnet_change_protectionDenotes if the network firewall has subnet change protection enabled
encryption_configurationThe configuration for the encryption on the network firewall

Network Firewall Rule

A network firewall rule is a firewall rule that can include NAT rules, network rules, and applications rules. An example of this type of resource is Azure Firewall Rule.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the instance resides
rule_list_resource_idThe ID of the rule list resource
rule_list_typeThe rule type of the network firewall rule
nameThe name of the network firewall rule
descriptionA description of the network firewall rule.
protocolsAn array of application rule protocols for the network firewall rule
source_address_groupsAn array of source address groups associated with the network firewall rule
service_tagsAn list of service tags associated with the network firewall rule
destination_address_groupsA list of destination address groups associated with the network firewall rule
destination_fqdnsA list of destination FQDNs associated with the network firewall rule
translated_addressThe translated address for the network firewall rule
translated_portThe translated port for the network firewall rule
priorityThe priority of the rule
directionThe direction of the rule
actionThe actions of the rule
custom_actionsThe configured custom actions of the rule

Network Firewall Rule List

Firewall rule collections processed according to the rule type in priority order. An example of this type of resource is Azure Firewall Rule Collection.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the instance resides
nameThe name of the network firewall rule list
firewall_resource_idThe ID of the firewall resource
list_typeThe type of the network firewall rule list
priorityThe priority of the network firewall rule list
actionThe action type of the network firewall rule list
namespace_idThe ID of the namespace associated with the network firewall rule list
capacityThe capacity of the rule list
statusThe status of the rule list
stateless_full_packet_actionsThe stateless full-packet actions of the rule list
stateless_fragmented_packet_actionsThe stateless fragmented-packet actions of the rule list
stateful_evaluation_orderThe stateful rule evaluation order of the rule list
stateful_default_actionsThe stateful default actions of the rule list
stateful_rule_variablesThe list of rule variables of the rule list
stateful_ip_referencesThe list of IP references of the rule list

Network Flow Log

Network flow log resources store configuration and delivery information regarding traffic flows between networking components in a cloud network. This resource inherits from Resource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the instance resides
flow_log_idThe provider ID of the flow log
nameThe name of the flow log
log_group_nameThe name of the logging group
bucket_nameThe name of the bucket where logs are delivered
traffic_typeThe type of traffic being logged
provider_idThe provider ID of the flow log's parent
parent_resource_idThe provider resource ID of the flow log's parent
statusThe status of log delivery (active, inactive)
delivery_statusThe logging status of the flow log (success, failed)
delivery_errorThe delivery error description
creation_timeThe time the flow log was created
log_formatThe log format of the flow log data published to a storage container
max_aggregation_intervalThe maximum aggregation interval of the flow log
file_formatThe file format of the flow log data published to a storage container
hive_compatible_partitionsThe number of hive-compatible partitions for the flow log
per_hour_partitionThe number of per-hour partitions for the flow log
namespace_idThe provider-specific namespace ID
retention_daysThe number of days logs are retaine

class DivvyResource.Resources.networkflowlog.NetworkFlowLog(resource_id)
Bases: DivvyResource.Resources.resource.Resource

Network Flow Log Operations

flow_log

flow_log_id

static get_db_class()

get_parent_resource_id()

static get_provider_id_field()

get_resource_name()

static get_resource_name_field()
Network flow logs don’t have a name so we will use the log_group_name as the name.

static get_resource_type()

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None, project_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

Network Interface

Network Interface resources store configuration and delivery information regarding traffic flows between networking components in a cloud network. This resource inherits from Resource Class and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
network_interface_idThe cloud id for the network interface
nameThe name of the network interface
descriptionThe optional description of the network interface
subnet_resource_idThe resource id for the subnet that the interface is attached
network_resource_idThe resource id for the network this interface is attached to
region_nameThe name of the region
zoneThe availability zone where the interface is deployed
instance_resource_idThe instance identifier that the interface belongs to
device_indexThe device index of the interface
mac_addressThe MAC/hardware address of the interface
private_ip_addressThe Private IP address associated with this network interface
private_dns_nameThe private DNS name of the interface
public_ip_addressThe Public IP address associated with this network interface
public_dns_nameThe public DNS name of the interface
attachment_idThe ID of the attached resource, if known
owner_idThe owner of the image
interface_typeThe type of an nsx edge interface
ipv6_addressThe IPv6 Address associated with this interface
source_dest_checkDenotes if source/destination checking is enabled for this device

Network Peer

Network peer resources interconnect two private networks. This resource inherits from Resource Class and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the network resides in
peer_idThe ID of the network
nameThe name of the network
statusThe state of the network peer status
requester_vpc_ownerThe owner of the network requesting peering access
requester_vpc_idThe ID of the network requesting peering access
requester_vpc_cidrThe CIDR block of the network requesting peering access
accepter_vpc_ownerThe owner of the network accepting the peer request
accepter_vpc_idThe ID of the network accepting the peer request
accepter_vpc_cidrThe CIDR block of the network accepting the peer request
allow_egress_classicDenotes if you’ve enabled any EC2-Classic instances to communicate with instances in the peered network
allow_egress_vpcDenotes if your network is a source or destination for ingress or egress rules in your resource access lists
allow_dns_resolutionDenotes if your network peer connection has enabled DNS hostname resolution

class DivvyResource.Resources.networkpeer.NetworkPeer(resource_id)
Bases: DivvyResource.Resources.resource.Resource

Network Peer Operations

static get_db_class()

get_parent_resource_id()

static get_provider_id_field()

static get_resource_type()

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None, project_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

network_peer

peer_id

Private Subnet

Private Subnet

Private logical subdivision of a network.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
subnet_idThe subnet id that the interface belongs to
network_resource_idThe resource id of the network to detach
nameThe name of the private subnet
cidrThe classless inter-domain routing of the network
prefixThe optional sub-directory to begin at
available_ipsThe number of available IPs in the subnet
availability_zoneThe availability zone in which the cluster is located
region_nameThe name of the region
gateway_addressThe route configuration gateway address
public_ip_on_launchThe public ip address when subnet is initially launched
Public IP

Public IP

Public IP addresses are used to communicate over the Internet. Examples of these include AWS Elastic IPs. This class inherits from TopLevelResource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
public_ipThe publicly accessible IP address
private_ipThe private IP that this public IP will pass through to
domainThe domain associated with this public IP
network_interface_resource_idThe resource ID of the network interface the IP is associated to
allocation_idThe provider allocation ID of the public IP
region_nameThe region that the public IP resides in
association_idThe provider association ID
allocation_typeDenotes an ephemeral vs persistent IP address
nameThe name associated with the Public IP
provider_idThe provider-specific ID associated with the Public IP
fqdnThe fully-qualified domain name associated with the Public IP
namespace_idThe provider's namespace ID for the public IP

class DivvyResource.Resources.publicip.PublicIp(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource

IP Address Operations (Elastic/Floating/Public IPs)

allocation_id

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

get_attached_instance()
Retrieve the attached instance (Resource object).

get_attached_network_interface()
Retrieve the network interface (Resource object) this IP is attached to, or None if not attached.

static get_db_class()

get_domain()
Retrieve the domain of the resource (e.g., vpc)

static get_provider_id_field()

get_resource_name()
Public IPs are not named by the user. We return the ip address itself.

static get_resource_name_field()

static get_resource_type()

get_supported_actions()

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

ip_address

is_ephemeral

public_ip

top_level_resource = True

Query Log

Query Log Config

Query Log Config enables DNS query resolution across entire hybrid clouds (e.g., AWS Route53Resolver Configuration).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the organization service (cloud) this access list belongs to
region_nameThe region where this resource resides
config_idThe ID for the query logging configuration
nameThe name of the query logging configuration resource
arnThe ARN for the query logging configuration
association_countThe number of VPCs associated with the query logging configuration
owner_idThe account ID for the account that created the query logging configuration
destination_arnThe ARN of the resource where you want to send query logs
destination_typeThe type of resource where query logs will be received (e.g., S3, CloudWatch Logs)
create_timeThe time the query logging configuration was created
statusThe status of the query logging configuration (e.g., 'Created', 'Creating', 'Deleted', and 'Failed')
Route

Route

The Route resource is used to determine where network traffic from your subnet or gateway is directed (e.g., AWS Route, Azure Route).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the organization service (cloud) this access list belongs to
region_nameThe region where this resource resides
route_table_resource_idThe ID for the route table resource
cidrThe Classless Inter-domain Routing (CIDR) address of the Route resource
target_idThe ID of the target, e.g., 'Internet'
target_typeThe target type, e.g., 'gateway'
stateThe state of the route resource, e.g., 'active'

Route Table

Network route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. This class inherits from Resource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the organization service (cloud) this access list belongs to
region_nameThe region where this resource resides
nameThe name of this route table
network_resource_idThe resource ID of the parent (network)
vpc_association_idThe the virtual private cloud that this route table is associated with
routesThe routes that belong to this table

class DivvyResource.Resources.routetable.RouteTable(resource_id)
Bases: DivvyResource.Resources.resource.Resource

Route Table Operations

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

static get_db_class()

get_network_id()
Retrieve the network ID that the route table belongs to.

static get_provider_id_field()

static get_resource_type()

get_supported_actions()

get_vpc_association_id()
Retrieve the VPC association ID of the route.

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

route_table

route_table_id

Site-to-Site VPN

Site-to-Site VPN

A Site-to-Site VPN connection offers two VPN tunnels between a virtual private gateway or a transit gateway on the cloud provider side and a customer gateway on the remote (on-premises) side.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
vpn_idThe ID of the VPN
nameThe name of Site To Site VPN
stateThe route state
categoryThe check category
static_route_countThe number of routes contained within the route table
bgp_route_countThe Border Gateway Protocol (BGP) route count, if applicable
static_routesThe static route count
optionsThe list of specific user-defined options
customer_gateway_idThe ID of the associated Customer Gateway
virtual_gateway_idThe identifier of the virtual gateway ID hat the route table is associated with
transit_gateway_idThe ID of the associated Transit Gateway
last_updatedThe time resource was updated last
Target Proxies

Target Proxies

In GCP target proxies are referenced by one or more forwarding rules. In the case of HTTP(S) load balancing, proxies route incoming requests to a URL map.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
nameThe name of target proxy
kindThe kind of backend service
load_balancer_resource_idThe load balancer resource identifier
service_resource_idThe backend service resource identifier
descriptionThe target proxy description
created_timeThe time target proxy was created
Traffic

Traffic Manager

A Traffic Manager is a DNS-based network traffic load balancer, distributing network traffic evenly across your environment.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
traffic_manager_idThe ID for the traffic manager
region_nameThe name of the region the traffic manager is deployed in
statusThat status of the profile of the traffic manager
fqdnThe fully-qualified domain name for the traffic manager
routing_methodThe routing method for the traffic manager
profile_monitor_statusThe profile monitor status for the traffic manager
protocolThe protocol of monitor configuration in the traffic manager
portThe port of monitor configuration in the traffic manager
interval_in_secondsInterval (in seconds) for the monitor configuration in the traffic manager
tolerated_number_of_failuresTolerated number of failures for the monitor configuration in the traffic manager
timeout_in_secondsTimeout in seconds for the monitor configuration in the traffic manager
endpointsThe list of endpoints for the traffic manager
traffic_view_enrollment_statusThe traffic view enrollment status for the traffic manager

Traffic Mirror Target

A Traffic Mirror is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for: content inspection, threat monitoring, and troubleshooting (e.g. AWS VPC Traffic Mirror Target)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
target_idThe identifier of the target
nameThe name of the target
typeThe type of target
sourceThe provider id of the source
source_resource_idThe source resource identifier
source_nameThe name of the source
descriptionThe description of the mirror target
owner_idThe owner account identifier of the target
cross_accountDenotes whether or not the target spans accounts
Transit Gateway

Transit Gateway

A Transit Gateway enables customers to connect private clouds (e.g. Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
transit_gateway_idThe service provided ID for this transit gateway
nameThe name of the Transit Gateway
owner_account_idThe resource ID of the subnet to which this NAT gateway belongs. Not used for some cloud providers
create_timeThe time the Transit Gateway was created
stateThe state of this Transit Gateway
dns_supportDenotes if the Transit Gateway has DNS support
associated_route_table_idThe ID of the associated route table, if applicable
auto_accept_shared_attachmentsThe resource id of the subnet to which this Transit Gateway belongs. Not used for some cloud providers
attachment_countThe number of attachments to the Transit Gateway
provider_asnThe provider ASN associated with the Transit Gateway
URL Maps

URL Maps

A URL Map is a set of rules for routing incoming HTTP(S) requests to specific services.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
urlmap_idThe ID for the URL Map
nameName of the URL Map
descriptionDescription of the URL Map
creation_timestampThe timestamp for when the URL Map was created
host_rulesA set of hosts to match requests against
regionThe region in which the URL Map is located
Virtual Private Gateway

Virtual Private Gateway

A private gateway is a logical, fully redundant distributed edge routing function at the edge of a virtual computing resource, for example, an AWS VPC.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
availability_zoneThe availability zone for the virtual private gateway
gateway_idThe ID for the virtual private gateway
gateway_typeThe type of virtual private gateway, e.g., 'ipsec.1'
nameThe name of the virtual private gateway
stateThe state of the virtual private gateway, e.g., 'available'
asnThe autonomous system number (ASN) for the virtual private gateway
attachment_countThe number of gateways attached to the virtual private gateway region
Web Application Firewall

Web Application Firewall

A Web Application Firewall is a resource that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources, for example the AWS WAF or Google Cloud Armor.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region
firewall_idThe provider ID of the web application firewall
nameThe name of the web application firewall
metric_nameThe user defined metrics put in place on the WAF
default_actionThe default action to take
arnThe amazon resource name for the WAF
resource_countThe compute/build type of the project
rule_countDenotes whether the project has elevated privileges
rulesA list of rules associated with the WAF
sql_injection_rule_countThe rule count that matches SQL
geo_match_rule_countThe rule count that matches by GeoIP
xss_match_rule_countThe rule count that filters by XSS
ip_match_countThe rule count that filters traffic by IP
versionThe installed version of the web application firewall
preprocess_rule_groupsThe pre-process groups associated with the WAF
preprocess_rule_namesThe pre-process rule names associated with the WAF
postprocess_rule_groupsThe post-process groups associated with the WAF
postprocess_rule_namesThe post-process rule names associated with the WAF
rule_namesThe names of the WAF rules
managed_rule_namesThe managed rule names associated with the ACL
loggingIndicates if the WAF is logging
centrally_managedIndicates if the WAF is centrally-managed
relationshipsThe list of resources associated with the WAF
namespace_idThe provider-specific unique namespace value
waf_typeThe type of WAF
provisioning_stateThe provisioning state of the WAF
associationsThe list of associations for the WAF
managed_rulesThe managed rules associated with the WAF
managed_rule_countThe count of managed rules associated with the WAF
policy_tierThe pricing policy tier of the WAF
cloudwatch_metrics_enabledDenotes if WAF Roles/Role Groups have CloudWatch metrics enabled

Web Application Firewall Rule

A Web Application Firewall Rule governs how incoming HTTP(S) requests are inspected and handled.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region where the rule is located
rule_idA unique ID for the rule
firewall_resource_idThe resource ID for the firewall the rule is associated with
actionThe action for the rule
typeThe type of rule
rule_group_resource_idThe resource ID for the web application firewall rule group the rule is associated with
rule_nameThe name of the rule
conditionsThe conditions for the rule to activate
priorityThe priority of the rule

Web Application Firewall Rule Group

A Web Application Firewall Rule Group is a set of rules that can be added to an access control list.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region where the rule group is located
rule_group_idA unique ID for the rule group
rule_group_nameThe name of the rule group
firewall_resource_idThe resource ID for the firewall the rule group is associated with
priorityThe priority of the rule group