Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing assignment for the Deny-Subnet-Without-Penp policy #1807

Open
MikaelJcSoderberg opened this issue Oct 21, 2024 · 2 comments
Open

Missing assignment for the Deny-Subnet-Without-Penp policy #1807

MikaelJcSoderberg opened this issue Oct 21, 2024 · 2 comments
Labels
Type: Documentation 📄 Improvements or additions to documentation
Milestone
policy-refresh-fy...

Comments

@MikaelJcSoderberg
Copy link

MikaelJcSoderberg commented Oct 21, 2024
edited
Loading

This policy is missing in the "default" list of policies:
Deny-Subnet-Without-Penp

Without this setting being right, private endpoints in a subnet isn't filtered by the Network Security Group

When I talk about sources, I'm using these to discover new policies and also to see witch ones are changed/removed and to what scope to assign them

https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies
https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/ALZ%20Policy%20Assignments%20v2.xlsx

I'm also using this from ALZ-Bicep
https://github.com/Azure/ALZ-Bicep/blob/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep

Witch one is right?

  1. I'm using the wrong sources for what policies should be include in a Enterprise-scale implementation?
  2. A Network Security Group in a Corp Landing zone don't need to filter traffic to Private Endpoints, and that is the reason the policy isn’t included?
  3. It was missed and should be added to the default list of policies. I don't know if the correct scope would be Corp or landingzones.

I think it's number three and that is the reason for posting this issue.
@Springstone
Copy link
Member

@MikaelJcSoderberg we do not assign all ALZ policies by default (most we do). We provide a number of additional policies that have been asked for or that we believe would be valuable to some customers, and this is one of those.

The two documents you refer to only document those policies/initiatives we assign by default along with the scope that we assign them to. Those documents do not include the "extra" policies we provide. We've begun providing better documentation describing those other policies here: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies-Extra
(I see that specific policy doesn't have an entry yet, so we'll get that added).

I hope that clarifies.

@Springstone Springstone added the Type: Documentation 📄 Improvements or additions to documentation label Nov 1, 2024
@Springstone Springstone added this to the policy-refresh-fy25-q2 milestone Nov 1, 2024
@MikaelJcSoderberg
Copy link
Author

Thank you for the feedback, yes I did forget that alz-policy-extras is also a source I use.
Glad it will be added there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Documentation 📄 Improvements or additions to documentation
Projects
None yet
Milestone
policy-refresh-fy25-q2
Development

No branches or pull requests
2 participants
@Springstone @MikaelJcSoderberg