Feature Request - expand scope for subnets should have a nsg

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture

https://aka.ms/alz

MIT License

1.73k stars 980 forks source link

Feature Request - expand scope for subnets should have a nsg #1559

Open vegazbabz opened 9 months ago

vegazbabz commented 9 months ago

Subnets should have a Network Security Group should be considered to be moved to intermediate too group instead identity MG and Landing Zone MG.

Reason is that it follows best practices and therefore should be on intermediate root group rather than lower scopes: https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#logically-segment-subnets https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline#microsoft-defender-for-cloud-monitoring

jtracey93 commented 9 months ago

Hey @vegazbabz, good ask. Would probably need to just be duplicated to platform instead as we dont want this to stop sandbox users finding their way and decommissioned?

May a valid use for notScopes?

cc: @Springstone

vegazbabz commented 9 months ago

Hey @vegazbabz, good ask. Would probably need to just be duplicated to platform instead as we dont want this to stop sandbox users finding their way and decommissioned?

May a valid use for notScopes?

cc: @Springstone

Not a big fan of duplicate assignments. I rather want to use the built-in features provided to me by the cloud. So yes, use excluded scope / notScopes instead of multiple assignments.

Springstone commented 7 months ago

@vegazbabz No issue with expanding coverage and using notScopes however, this will be a long-term objective as we're busy with a very large amount of change in ALZ at the moment.