Governance Policies Azure Networking Network Interface - Azure/az-prototype GitHub Wiki
Governance policies for Network Interface
Domain: azure-networking
| Name | Description |
|---|---|
| Network interface with NSG and accelerated networking | Production NIC with mandatory NSG, no public IP, and accelerated networking |
| Description | Instead |
|---|---|
| Do not deploy NICs without a Network Security Group | Always associate an NSG with every NIC or its subnet |
| Do not assign public IP addresses to NICs | Use Azure Bastion for management and internal load balancers for application access |
| Check | Severity | Description |
|---|---|---|
| AZ-NIC-001 | Required | Associate every NIC with a Network Security Group |
| AZ-NIC-002 | Required | Do not assign public IP addresses directly to network interfaces |
| AZ-NIC-003 | Recommended | Enable accelerated networking on supported VM sizes |
| AZ-NIC-004 | Recommended | Use static private IP allocation for infrastructure VMs (domain controllers, DNS servers) |
Associate every NIC with a Network Security Group
Severity: Required
Rationale: NICs without NSGs allow all inbound and outbound traffic by default
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-resource | NSG with least-privilege rules |
| Microsoft.Network/virtualNetworks/subnets | snet-resource | Target subnet |
Do not assign public IP addresses directly to network interfaces
Severity: Required
Rationale: Direct public IP assignment bypasses centralized ingress controls and exposes the VM to the internet
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/networkInterfaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/bastionHosts | bas-mgmt | For management access instead of public IPs |
| Microsoft.Network/loadBalancers | lb | For application traffic instead of public IPs |
Enable accelerated networking on supported VM sizes
Severity: Recommended
Rationale: Accelerated networking provides up to 30Gbps throughput and lower latency via SR-IOV
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces
Use static private IP allocation for infrastructure VMs (domain controllers, DNS servers)
Severity: Recommended
Rationale: Dynamic IPs can change on deallocation, breaking dependent services
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces