Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - expand scope for subnets should have a nsg

Open vegazbabz opened this issue 2 years ago • 3 comments

Subnets should have a Network Security Group should be considered to be moved to intermediate too group instead identity MG and Landing Zone MG.

Reason is that it follows best practices and therefore should be on intermediate root group rather than lower scopes: https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#logically-segment-subnets https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline#microsoft-defender-for-cloud-monitoring

vegazbabz avatar Feb 04 '24 16:02 vegazbabz

Hey @vegazbabz, good ask. Would probably need to just be duplicated to platform instead as we dont want this to stop sandbox users finding their way and decommissioned?

May a valid use for notScopes?

cc: @Springstone

jtracey93 avatar Feb 05 '24 12:02 jtracey93

Hey @vegazbabz, good ask. Would probably need to just be duplicated to platform instead as we dont want this to stop sandbox users finding their way and decommissioned?

May a valid use for notScopes?

cc: @Springstone

Not a big fan of duplicate assignments. I rather want to use the built-in features provided to me by the cloud. So yes, use excluded scope / notScopes instead of multiple assignments.

vegazbabz avatar Feb 08 '24 22:02 vegazbabz

@vegazbabz No issue with expanding coverage and using notScopes however, this will be a long-term objective as we're busy with a very large amount of change in ALZ at the moment.

Springstone avatar Apr 26 '24 10:04 Springstone