Rule does not detect more restrictive NSG rules

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

https://azure.github.io/PSRule.Rules.Azure/

MIT License

387 stars 84 forks source link

Rule does not detect more restrictive NSG rules #831

Closed vicperdana closed 3 years ago

vicperdana commented 3 years ago

https://github.com/Azure/PSRule.Rules.Azure/blob/536f1a5dc534a1cdc4633f9c6c0caa2a1dc1696a/src/PSRule.Rules.Azure/rules/Azure.VirtualNetwork.Rule.ps1#L166

If NSG has rules to deny outbound traffic from VNET to VNET and Internet, the rule should detect and mark the validation to "Pass".

BernieWhite commented 3 years ago

Awesome. Thanks @vicperdana

BernieWhite commented 3 years ago

In the spirit of lateral traversal, I don't think management ports outbound to the internet is a concern. If we block management traffic to VirtualNetwork or * via either 3389, 22, or * I think that addresses the requirement.

vicperdana commented 3 years ago

Agreed.