Bug Report: Deny-MgmtPorts-From-Internet.json

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture

https://aka.ms/alz

MIT License

1.72k stars 980 forks source link

Bug Report: Deny-MgmtPorts-From-Internet.json #1766

Open rybal06 opened 2 months ago

rybal06 commented 2 months ago

Describe the bug The policy checks for the source address to be * or Internet, but doesn't check for 0.0.0.0/0.

Per https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview "0.0.0.0/0 in the Source and Destination columns represents all addresses"

Steps to reproduce

Deploy policy in deny mode.
Create an NSG, and allow port 22 from 0.0.0.0/0 address range.
Note, policy is compliant.

jtracey93 commented 2 months ago

@Springstone can you take a look

rybal06 commented 2 months ago

Opened PR: https://github.com/Azure/Enterprise-Scale/pull/1768