modify-subnet-nsg

[maheswara321]

Hi @fawohlsc /Team,

Trust you are doing well.

In my environment, we have few subnets without being assigned to any NSG. So I would like to deploy the above custom definition to enforce the NSG for subnets that have none.

While assigning the assignment, I have passed the parameters as suggested below for networksecuritygroupsettings

{ "northeurope": { // I have given the location of the vnet that subnets belongs to "resourceGroupName": "random name", "networkSecurityGroupName": "random nsg name" }, "westeurope": { "resourceGroupName": "we-network", "networkSecurityGroupName": "we-default-nsg" }, "disabled": { "resourceGroupName": "", "networkSecurityGroupName": "" } }

But it is not able to identify the non-compliant resources and it is showing 100% compliant. Scope also I have correctly assigned. Can you please advise me here please?

Hi @mrajess,

I also have tried the below definition file

enforce-subnets-must-have-nsg-and-nsg-must-have-same-suffix-as-subnet/

but i am getting the below error

parameters 'exceptionList' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule. So i tried by removing the exceptionList parameter from definition but still it is not accepting the definition to save and it is giving below error.

The existing policy has '1' parameter(s) which is greater than the count of parameter(s) '0' in the policy being added. Policy parameters cannot be removed during policy update.

Could you kindly advise me here please. I got struck here.

Looking forward to hearing from you.

Thank you, Kind regards, Maheswara.

[fawohlsc]

@maheswara321 - Have you tried creating a new subnet? Does the policy add the NSG? Just to make sure the policy is assigned to the right scope. Also, did you try to trigger an on-demand evaluation scan to speed up populating the compliance results (See: Get compliance data of Azure resources)

[maheswara321]

Hi Fabian,

Thank you so much for your prompt response.

I just have created a new vnet and in that I had new default subnet that has no NSG. I also have existing vnets with subnets that don't have NSG at all in subscriptions but in both of the cases policy doesn't identify them as non-compliance one , and it is reflecting the status 100% compliance.

Below is the vnet with subnet that doesn't have any NSG.

It is reflecting as 100% compliance as shown below.

Please help me know, am i passing the parameters as wrong? I have tried both the ways like giving new resource group name new NSG name also resource group of vnet that already exists and location.. but it doesn't work anyways.

I am also wondering if there is any deployIfNotExists policy available for this if it doesn't work like this.

Kindly respond on this Fab.

Thank you very much for your support.

Kind regards, Mahes.

[fawohlsc]

@maheswara321 - Just did some testing. Seems like the policy does not work anymore. Sorry for the inconvenience. Probably, you want to look for another policy, which can assign NSGs to your subnet.

[maheswara321]

Hello @fawohlsc,

Thanks for your response.

Can you please suggest me the working one?

Thank you.

[maheswara321]

Hi @fawohlsc,

May I have any response please?

Thank you.

[fawohlsc]

@maheswara321 - May I ask you to contribute to this repository by fixing the policy modify-subnet-nsg? I believe it`s a good starting point and I am missing the bandwidth to fix it myself at the moment. Many thanks.

[maheswara321]

Hi @fawohlsc,

Thanks for responding back.

I am happy to work on these, however currently I am completely oocupied with Info sec work right now. Also these are completely new for us being a SOC analysts. and that's where we were looking for help.

Thanks for understanding.

[fawohlsc]

@maheswara321 - I fully understand 👍

John Savill has produced some great deep-dive videos around Azure Policy: Anatomy of Azure Policy Azure Policy Remediation Deep Dive

Hope they help you on your Azure governance journey!

[techlake]

Cleaning up old issues (closing)