Non-Compliant policies / Subnets should be associated with a Network Security Group

[leslieRD]

after deploying the Canadian Pub Sector Landing Zone, State of a lot of resources has been labeled as non-compliant.

most of these Subnet has been already associated with a NSG

Any help please.

[SenthuranSivananthan]

Policy Id: /providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517

Definition

    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks/subnets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "eade5b56-eefd-444f-95c8-23f29e5d93cb",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }

This policy definition depends on Defender for Cloud (DfC) to evaluate each subnet to make sure they are associated with a Network Security Group (NSG). Based on the evaluation, DfC will annotate the status as:

• Healthy
• Unhealthy
• NotApplicable

The policy definition will mark the subnet as compliant if the status is either Healthy or NotApplicable. In your case, can you check:

1. Whether the non-compliant reason is Unhealthy?
2. If non-compliant reason is NotFound, then it implies DfC has not run on your subscription and therefore policy can not verify compliance. If this is the case, can you open a support case for an engineer to review?

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.