You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network-manager/concept-enforcement.md
+18-17Lines changed: 18 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,11 @@
1
1
---
2
2
title: 'Virtual network enforcement with security admin rules in Azure Virtual Network Manager (Preview)'
3
-
description: You'll learn how security admin rules provide enforcement and flexible application of security policies in Azure Virtual Network Manager.
3
+
description: #Required; You'll learn why you should use Security Admin Rules and how they differ from NSGs.
4
4
author: mbender-ms
5
5
ms.author: mbender
6
6
ms.service: virtual-network-manager
7
-
ms.topic: conceptual #Required; leave this attribute/value as-is.
8
-
ms.date: 06/28/2022
9
-
ms.custom: template-concept #Required; leave this attribute/value as-is.
7
+
ms.topic: conceptual
8
+
ms.date: 08/19/2022
10
9
---
11
10
# Virtual network enforcement with security admin rules in Azure Virtual Network Manager (Preview)
12
11
@@ -19,9 +18,9 @@ In this article, you'll learn how [security admins rules](concept-security-admin
19
18
20
19
## Virtual network enforcement
21
20
22
-
With network security groups (NSGs) alone, widespread enforcement on VNets across several applications, teams, or even entire organizations can be tricky. Often there’s a balancing act between attempts at centralized enforcement across an organization and handing over granular, flexible control to teams.
21
+
With [network security groups (NSGs)](../virtual-network/network-security-group-how-it-works.md) alone, widespread enforcement on VNets across several applications, teams, or even entire organizations can be tricky. Often there’s a balancing act between attempts at centralized enforcement across an organization and handing over granular, flexible control to teams.
23
22
24
-
Security admin rules aim to eliminate this sliding scale between enforcement and flexibility altogether by consolidating the pros of each of these models while reducing the cons of each. Central governance teams establish guard rails through security admin rules, while still leaving room for individual teams to flexibly pinpoint security as needed through NSG rules. Security admin rules aren't meant to override NSG rules. Instead they interact in different ways depending on the type of action specified in the security admin rule.
23
+
[Security admin rules](concept-security-admins.md) aim to eliminate this sliding scale between enforcement and flexibility altogether by consolidating the pros of each of these models while reducing the cons of each. Central governance teams establish guard rails through security admin rules, while still leaving room for individual teams to flexibly pinpoint security as needed through NSG rules. Security admin rules aren't meant to override NSG rules. Instead, they work with NSG rules to provide enforcement and flexibility across your organization.
25
24
26
25
## Enforcement Models
27
26
@@ -39,40 +38,42 @@ In this model, NSGs are managed by individual teams within an organization witho
39
38
40
39
| Pros | Cons |
41
40
| ---- | ---- |
42
-
| The individual team has flexible control in tailoring security rules based on their service requirements. | The central governance team can't enforce critical security rules, such as blocking risky ports. </br> </br> Individual team might also misconfigure or forget to attach NSGs, leading vulnerability exposures.|
41
+
| The individual team has flexible control in tailoring security rules based on their service requirements. | The central governance team can't enforce critical security rules, such as blocking risky ports. </br> </br> Individual team might also misconfigure or forget to attach NSGs, leading to vulnerability exposures.|
43
42
44
43
### Model 3 - NSGs are created through Azure Policy and managed by individual teams.
45
-
In this model, NSGs are still managed by individual teams. The difference is the NSGs created using Azure Policy to set standard rules. Modifying these rules would trigger audit notifications.
44
+
In this model, NSGs are still managed by individual teams. The difference is the NSGs are created using Azure Policy to set standard rules. Modifying these rules would trigger audit notifications.
46
45
47
46
| Pros | Cons |
48
47
| ---- | ---- |
49
48
| The individual team has flexible control in tailoring security rules. </br></br> The central governance team can create standard security rules and receive notifications if rules are modified. | The central governance team still can't enforce the standard security rules, since NSG owners in teams can still modify them. </br></br> Notifications would also be overwhelming to manage. |
50
49
51
50
## Enforcement and flexibility in practice
52
51
53
-
Let’s apply the concepts discussed so far to an example scenario. A company network administrator wants to enforce a security rule to block inbound SSH traffic for the whole company. As mentioned above, having such enforcement was difficult without AVNM’s security admin rule. If the administrator manages all the NSGs, then management overhead is high, and the administrator can't rapidly respond to product teams’ needs to modify NSG rules. On the other hand, if the product teams manage their own NSGs without security admin rules, then the administrator can't enforce critical security rules, leaving potential security risks open. Using both security admin rules and NSGs can solve this dilemma. In this case, the administrator wants to make an exception for application as the application team needs more time to make changes to not rely on SSH. The diagram below shows how the administrator can achieve the goal of enforcement with security admin rules, and leave an exception for the Application team to handle SSH traffic through NSGs.
52
+
Let’s apply the concepts discussed so far to an example scenario. A company network administrator wants to enforce a security rule to block inbound SSH traffic for the whole company. As mentioned above, having such enforcement was difficult without AVNM’s security admin rule. If the administrator manages all the NSGs, then management overhead is high, and the administrator can't rapidly respond to product teams’ needs to modify NSG rules. On the other hand, if the product teams manage their own NSGs without security admin rules, then the administrator can't enforce critical security rules, leaving potential security risks open. Using both security admin rules and NSGs can solve this dilemma.
54
53
55
-
:::image type="content" source="media/concept-enforcement/example-rules-enforcement.png" alt-text="Diagram of security admin rules enforcement with network security groups.":::
54
+
In this case, the administrator wants to make an exception to the application virtual networks as the application team needs management access to the application with SSH. The diagram below shows how the administrator can achieve the following goals:
55
+
- Enforcement with security admin rules across the organization.
56
+
- Creating exceptions for the application team to handle SSH traffic through NSGs.
57
+
58
+
:::image type="content" source="media/concept-enforcement/sec-admin-scenario.png" alt-text="Diagram of security admin rules enforcement with network security groups.":::
56
59
57
60
#### Step 1: Create a network manager instance
58
61
59
62
The company administrator can create a network manager with the root management group of the firm as the scope of this network manager instance.
60
63
61
64
#### Step 2: Create network groups for VNets
62
65
63
-
The administrator creates the following network groups:
64
-
65
-
-*ALL Network Group*: consisting of all the VNets in the organization
66
-
-*App 1 Network Group* consisting of VNets for Application 1.
67
-
ALL Network Group in the above diagram consists of VNet 1 to VNet 5, and App 1 Network Group has VNet 4 and VNet 5. Users can easily define both network groups with dynamic membership.
66
+
The administrator creates two network groups – *ALL network group* consisting of all the VNets in the organization, and App network group consisting of VNets for the application needing an exception. ALL network group in the above diagram consists of *VNet 1* to *VNet 5*, and App network group has *VNet 4* and *VNet 5*. Users can easily define both network groups using dynamic membership.
68
67
69
68
#### Step 3: Create a security admin configuration
70
69
71
-
This security admin configuration contains a security admin rule to block inbound SSH traffic for *ALL Network Group* and another security admin rule to allow inbound SSH traffic for *App 1 Network Group* with a higher priority.
70
+
In this step, two security admin rules are defined with the following security admin configuration:
71
+
- a security admin rule to block inbound SSH traffic for ALL network group.
72
+
- a security admin rule to allow inbound SSH traffic for App network group with a higher priority.
72
73
73
74
#### Step 4: Deploy the security admin configuration
74
75
75
-
After the deployment of the security admin configuration, all VNets in the company will have the deny inbound SSH traffic rule enforced by the security admin rule. No individual team can modify this rule, only the administrator. The App 1 VNets will have both an allow inbound SSH traffic rule and a deny inbound SSH traffic rule. The priority number of the allow inbound SSH traffic rule for App 1 Network Group should be smaller so that it's evaluated first. When inbound SSH traffic comes to an App 1 VNet, it will be allowed by this higher priority security admin rule. Assuming there are NSGs on the subnets of the App 1 VNets, this inbound SSH traffic will be further evaluated by NSGs set by the Application 1 team. With this method, the company administrator can effectively enforce company policies and create security guard rails. And the product teams can simultaneously react to meet their needs by owning the control of NSGs.
76
+
After the deployment of the security admin configuration, all VNets in the company will have the deny inbound SSH traffic rule enforced by the security admin rule. No individual team can modify this rule, only the defined company administrator. The App VNets will have both an allow inbound SSH traffic rule and a deny inbound SSH traffic rule (inherited from All network group rule). The priority number of the allow inbound SSH traffic rule for App network group should be smaller so that it's evaluated first. When inbound SSH traffic comes to an App VNet, it will be allowed by this higher priority security admin rule. Assuming there are NSGs on the subnets of the App VNets, this inbound SSH traffic will be further evaluated by NSGs set by the application team. The security admin rule methodology described here allows the company administrator to effectively enforce company policies and create flexible security guard rails across an organization that work with NSGs.
0 commit comments