Skip to content

Commit

Permalink
Merge branch 'main' into fix-874-mdfc-containers
Browse files Browse the repository at this point in the history
  • Loading branch information
@jtracey93
jtracey93 committed Jan 28, 2022
2 parents ae00018 + e977b6c commit f41c87d
Show file tree
Hide file tree
Showing 5 changed files with 254 additions and 72 deletions.
6 changes: 3 additions & 3 deletions docs/ESLZ-Policies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,8 @@ We work with - and learn from our customers and partners to ensure that we evolv
| Deploy an Azure DDoS Protection Standard plan | Deploys and creates the DDoS Protection Standard plan into the connectivity subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Connectivity Management Group | Network |
| Deny VNET peering | Denies creation of VNET peering | deny, audit, disabled | 1.0.1 | Custom policy | Yes, recommended | Sandboxes Management Group | Network |
| Deny VNET peering cross subscription | Denies the creation of VNET peering outside of the same subscription | deny, audit, disabled | 1.0.1 | Custom policy | No | Sandboxes Management Group | Network |
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route, except the `AzureBastionSubnet` as this is not supported as documented [here](https://docs.microsoft.com/azure/bastion/bastion-overview#udr). The `AzureBastionSubnet` is only allowed to contain the Azure Bastion service, this is enforced by the Azure platform itself. | deny, audit, disabled | 1.1.0 | Custom policy | No | Landing Zones Management Group | Network |
| Subnets should have a Network Security Group | Denies the creation of a subnet that is not associated with a Network Security Group, except the `GatewaySubnet`, `AzureFirewallSubnet` and the `AzureFirewallManagementSubnet` as these subnets do not support NSGs as per their docs pages. | deny, audit, disabled | 1.1.0 | Custom policy | No | Landing Zones Management Group | Network |
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route, except the `AzureBastionSubnet` as this is not supported as documented [here](https://docs.microsoft.com/azure/bastion/bastion-overview#udr). The `AzureBastionSubnet` is only allowed to contain the Azure Bastion service, this is enforced by the Azure platform itself. | deny, audit, disabled | 2.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| Subnets should have a Network Security Group | Denies the creation of a subnet that is not associated with a Network Security Group, except the `GatewaySubnet`, `AzureFirewallSubnet` and the `AzureFirewallManagementSubnet` as these subnets do not support NSGs as per their docs pages. | deny, audit, disabled | 2.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| RDP access from the Internet should be blocked | Denies any network security rule that allows RDP access from Internet | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group, Identity Management Group | Network |
| Application Gateway should be deployed with WAF enabled | Denies creation of Application Gateways when WAF is not enabled | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| Deny creation of Public IP Addresses | Denies creation of public IP addresses | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | Network |
Expand Down Expand Up @@ -172,4 +172,4 @@ We work with - and learn from our customers and partners to ensure that we evolv
| Deploy Microsoft Defender for Cloud for App Services | Deploys and enable Microsoft Defender for Cloud for App Services on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Microsoft Defender for Cloud for AKV | Deploys and enable Microsoft Defender for Cloud for Azure Key Vault on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Microsoft Defender for Cloud for Containers | Deploys and enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries) on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Microsoft Defender for Cloud for open-source relational databases | Deploys and enable Microsoft Defender for Cloud for open-source relational databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Microsoft Defender for Cloud for open-source relational databases | Deploys and enable Microsoft Defender for Cloud for open-source relational databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
2 changes: 2 additions & 0 deletions docs/wiki/Whats-new.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ Here's what's changed in Enterprise Scale:

### Policy

- Updated `Deny-Subnet-Without-Nsg` & `Deny-Subnet-Without-Udr` to version 2.0.0
- Fixes scenario described in issue issue [#407](https://github.com/Azure/Enterprise-Scale/issues/407)
- Updated `Deploy-ASCDF-Config` policy initiative with changes relating to new [Microsoft Defender for Cloud Containers plan](https://docs.microsoft.com/azure/defender-for-cloud/release-notes#microsoft-defender-for-containers-plan-released-for-general-availability-ga) as documented in issue [#874](https://github.com/Azure/Enterprise-Scale/issues/874)
- Updated in Public (Commercial), Fairfax (Gov) and Mooncake (China)
- Updated portal experiences for Public and Fairfax
Expand Down
106 changes: 83 additions & 23 deletions eslzArm/managementGroupTemplates/policyDefinitions/china/mcPolicies.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6920,7 +6920,7 @@
},
{
"properties": {
"description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.",
"description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.",
"displayName": "Subnets should have a Network Security Group",
"mode": "All",
"parameters": {
Expand Down Expand Up @@ -6951,23 +6951,53 @@
}
},
"metadata": {
"version": "1.1.0",
"version": "2.0.0",
"category": "Network"
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
"anyOf": [
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/virtualNetworks/subnets[*]",
"where": {
"allOf": [
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].name",
"notIn": "[[parameters('excludedSubnets')]"
}
]
}
},
"notEquals": 0
}
]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": "false"
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": "false"
}
]
}
]
},
Expand All @@ -6983,9 +7013,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet without a User Defined Route (UDR).",
"metadata": {
"version": "1.1.0",
"version": "2.0.0",
"category": "Network"
},
"parameters": {
Expand Down Expand Up @@ -7015,18 +7045,48 @@
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
"anyOf": [
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/virtualNetworks/subnets[*]",
"where": {
"allOf": [
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].name",
"notIn": "[[parameters('excludedSubnets')]"
}
]
}
},
"notEquals": 0
}
]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
}
]
}
]
},
Expand Down Expand Up @@ -16378,4 +16438,4 @@
}
}
]
}
}
106 changes: 83 additions & 23 deletions eslzArm/managementGroupTemplates/policyDefinitions/gov/fairfaxPolicies.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6966,7 +6966,7 @@
},
{
"properties": {
"description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.",
"description": "This policy denies the creation of a subsnet without a Network Security Group. NSG help to protect traffic across subnet-level.",
"displayName": "Subnets should have a Network Security Group",
"mode": "All",
"parameters": {
Expand Down Expand Up @@ -6997,23 +6997,53 @@
}
},
"metadata": {
"version": "1.1.0",
"version": "2.0.0",
"category": "Network"
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
"anyOf": [
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/virtualNetworks/subnets[*]",
"where": {
"allOf": [
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].name",
"notIn": "[[parameters('excludedSubnets')]"
}
]
}
},
"notEquals": 0
}
]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": "false"
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": "false"
}
]
}
]
},
Expand All @@ -7029,9 +7059,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet without a User Defined Route (UDR).",
"metadata": {
"version": "1.1.0",
"version": "2.0.0",
"category": "Network"
},
"parameters": {
Expand Down Expand Up @@ -7061,18 +7091,48 @@
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
"anyOf": [
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/virtualNetworks/subnets[*]",
"where": {
"allOf": [
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].name",
"notIn": "[[parameters('excludedSubnets')]"
}
]
}
},
"notEquals": 0
}
]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
}
]
}
]
},
Expand Down Expand Up @@ -15728,4 +15788,4 @@
}
}
]
}
}
Loading

0 comments on commit f41c87d

Please sign in to comment.