Springstone
commented
2 weeks ago @MikaelJcSoderberg we do not assign all ALZ policies by default (most we do). We provide a number of additional policies that have been asked for or that we believe would be valuable to some customers, and this is one of those.
The two documents you refer to only document those policies/initiatives we assign by default along with the scope that we assign them to. Those documents do not include the "extra" policies we provide. We've begun providing better documentation describing those other policies here: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies-Extra (I see that specific policy doesn't have an entry yet, so we'll get that added).
I hope that clarifies.
MikaelJcSoderberg
This policy is missing in the "default" list of policies: Deny-Subnet-Without-Penp
Without this setting being right, private endpoints in a subnet isn't filtered by the Network Security Group
When I talk about sources, I'm using these to discover new policies and also to see witch ones are changed/removed and to what scope to assign them
https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/ALZ%20Policy%20Assignments%20v2.xlsx
I'm also using this from ALZ-Bicep https://github.com/Azure/ALZ-Bicep/blob/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
Witch one is right? 1) I'm using the wrong sources for what policies should be include in a Enterprise-scale implementation? 2) A Network Security Group in a Corp Landing zone don't need to filter traffic to Private Endpoints, and that is the reason the policy isn’t included? 3) It was missed and should be added to the default list of policies. I don't know if the correct scope would be Corp or landingzones.
I think it's number three and that is the reason for posting this issue.