search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.66k stars 940 forks source link

Feature Request - Add recommendation for 'Deny vNet peering to non-approved vNets' #1543

Open vegazbabz opened 5 months ago

vegazbabz commented 5 months ago

The policy Deny vNet peering to non-approved vNets is (obviously) not found in list: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#intermediate-root hence, it has no recommendation or guideline on usage.

The nearest guideline is this: https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#policy-17 "This is useful in scenarios where you only want to allow vNet peering to say a central hub vNet and not allow other vNet peerings between landing zones to be enabled."

Recommendation For the hub and spoke architecture (AdventureWorks), best practice would be to enable (assign) this policy to LZ MG, to have all traffic from spokes go to the hub - not allowing VNet peering between spokes (landing zones). This should be reflected.

jtracey93 commented 5 months ago

Thanks @vegazbabz

For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.

If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests

Thanks - the ALZ Team

Springstone commented 5 months ago

@vegazbabz We don't assign this policy (which is why it's not on the ALZ-Policies page) by default but do provide it as a custom as we believe customers would benefit from it. The scope you assign it at is up to you, with obvious impact to the environment. This particular policy is provided to help customer managed/limit peering to core infra - Sandbox would be a good environment for this, but we don't want to be too prescriptive. Let me know your thoughts on how we can do this better.

vegazbabz commented 5 months ago

Once again, I think all policies introduced in the repo should have a note somewhere in the documentation stating what use-case it is addressing. For sandbox, I think this is sufficient: https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peer-Cross-Sub.html

However, the policy Deny vNet peering to non-approved vNets should be assigned on Corp MG, or perhaps Landing Zones MG, to only allow VNet peering between landing zones (spokes) and connectivity landing zone(s) (hub). You want to route all the traffic via the centralized firewalls.