Enable Private endpoint policies for subnets created in workload tier (tier-3) or parameterize the policy.

[shannawaz]

Benefit/Result/Outcome

Private endpoint are required in workload tier to connect to Azure service privately and securely. You can completely lock down your workloads to prevent them from accessing public endpoints to connect to a supported Azure service. This control provides an extra network security layer to your resources, and this security provides protection that helps prevent access to other resources that are hosted on the same Azure service.

Description

See error message below when endpoints are created for database in the workload tier.

\"code\": \"BadRequest\",\r\n \"message\": \"{\r\n \\"error\\": {\r\n \\"code\\": \\"PrivateEndpointCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled\\",\r\n \\"message\\": \\"Private endpoint /subscriptions/xxxxxx/resourceGroups/rg-smlzprodeastus-keyVault/providers/Microsoft.Network/privateEndpoints/ep-smlzprodeastus-vault cannot be created in a subnet /subscriptions/xxxxx/resourceGroups/newWorkload-rg/providers/Microsoft.Network/virtualNetworks/newWorkload-vnet/subnets/newWorkload-subnet since it has private endpoint network policies enabled.\\",\r\n \\"details\\": []\r\n }\r\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"}]}}

Module

resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { name: '${virtualNetworkName}/${subnetName}' properties: { addressPrefix: subnetAddressPrefix networkSecurityGroup: { id: networkSecurityGroup.outputs.id } routeTable: { id: routeTable.outputs.id } serviceEndpoints: subnetServiceEndpoints
privateEndpointNetworkPolicies: 'Disabled' privateLinkServiceNetworkPolicies: 'Enabled' } dependsOn: [ virtualNetwork firewall ] }

[brooke-hamilton]

Related to #353

[jamasten]

Need to test the polices in the different clouds to ensure this configuration works everywhere. Otherwise, create conditions for each cloud.

References for configuration:

• https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-json
• https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route
• https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations

[jamasten]

Discussed with team. Will not implement.