Governance Policies Security Network Isolation - Azure/az-prototype GitHub Wiki
Governance policies for Network Isolation
Domain: security
| Name | Description |
|---|---|
| Private endpoint for Key Vault | Create private endpoint and disable public access |
| Description | Instead |
|---|---|
| Do not allow 0.0.0.0/0 in any NSG or firewall rule | Use specific IP ranges or service tags |
| Do not rely solely on service firewalls without VNET integration | Use private endpoints + VNET integration for defense in depth |
| Check | Severity | Description |
|---|---|---|
| WAF-SEC-NET-001 | Required | Disable public network access AND use private endpoints for all PaaS data services. Set publicNetworkAccess to Disabled (or public_network_access_enabled to false) on every PaaS resource. NEVER generate public_network_access_enabled = true or publicNetworkAccess = Enabled. |
| WAF-SEC-NET-002 | Required | Deploy workloads in a dedicated subnet within the landing zone VNET |
| WAF-SEC-NET-005 | Required | Every Azure PaaS resource that supports publicNetworkAccess MUST explicitly set it to Disabled — including publicNetworkAccessForIngestion and publicNetworkAccessForQuery on Log Analytics and Application Insights. This applies to ALL environments including POC and development. There are NO exceptions — POC environments MUST be secure. In Terraform azapi_resource body blocks, set publicNetworkAccess = "Disabled". In Bicep, set properties.publicNetworkAccess = 'Disabled'. |
| WAF-SEC-NET-003 | Recommended | Use NSGs to restrict traffic between subnets to only required ports |
| WAF-SEC-NET-004 | Recommended | Enable diagnostic logging on NSGs for traffic auditing |
Disable public network access AND use private endpoints for all PaaS data services. Set publicNetworkAccess to Disabled (or public_network_access_enabled to false) on every PaaS resource. NEVER generate public_network_access_enabled = true or publicNetworkAccess = Enabled.
Severity: Required
Rationale: Eliminates public internet exposure for data plane. Both disabling public access AND adding private endpoints are required — private endpoints alone do not block public access.
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.ContainerRegistry/registries
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.OperationalInsights/workspaces
Deploy workloads in a dedicated subnet within the landing zone VNET
Severity: Required
Rationale: Network segmentation enables NSG and route table controls
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.ContainerRegistry/registries
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.ContainerService/managedClusters
Every Azure PaaS resource that supports publicNetworkAccess MUST explicitly set it to Disabled — including publicNetworkAccessForIngestion and publicNetworkAccessForQuery on Log Analytics and Application Insights. This applies to ALL environments including POC and development. There are NO exceptions — POC environments MUST be secure. In Terraform azapi_resource body blocks, set publicNetworkAccess = "Disabled". In Bicep, set properties.publicNetworkAccess = 'Disabled'.
Severity: Required
Rationale: Azure PaaS services default to public access enabled. Omitting the property results in a public endpoint. This rule applies to POC, development, AND production — there are no security exemptions for non-production environments.
Agents: terraform-agent, bicep-agent
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.ContainerRegistry/registries
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.OperationalInsights/workspaces
Use NSGs to restrict traffic between subnets to only required ports
Severity: Recommended
Rationale: Defence in depth beyond private endpoints
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
Enable diagnostic logging on NSGs for traffic auditing
Severity: Recommended
Rationale: Required for incident investigation and compliance
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.Cache/redis
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices