Merge pull request #256611 from mbender-ms/pr/mbender-ms/256376

American-Dipper · web-flow · commit 4db0d808824b · 2023-10-30T15:24:02.000-07:00
Pr/mbender ms/256376
diff --git a/articles/virtual-network-manager/concept-security-admins.md b/articles/virtual-network-manager/concept-security-admins.md
@@ -11,13 +11,13 @@ ms.custom: template-concept, ignite-fall-2021, engagement-fy23
 
 # Security admin rules in Azure Virtual Network Manager
 
-In this article, you'll learn about security admin rules in Azure Virtual Network Manager. Security admin rules are used to define global network security rules that apply to all virtual networks within a [network group](concept-network-groups.md). You learn about what security admin rules are, how they work, and when to use them.
+In this article, you learn about security admin rules in Azure Virtual Network Manager. Security admin rules are used to define global network security rules that apply to all virtual networks within a [network group](concept-network-groups.md). You learn about what security admin rules are, how they work, and when to use them.
 
 [!INCLUDE [virtual-network-manager-preview](../../includes/virtual-network-manager-preview.md)]
 
 ## What is a security admin rule?
 
-Security admin rules are global network security rules that enforce security policies defined in the rule collection on virtual networks. These rules can be used to Allow, Always Allow, or Deny traffic across virtual networks within your targeted network groups. These network groups can only consist of virtual networks within the scope of your network manager instance; thus, security admin rules cannot apply to virtual networks not managed by a network manager.
+Security admin rules are global network security rules that enforce security policies defined in the rule collection on virtual networks. These rules can be used to Allow, Always Allow, or Deny traffic across virtual networks within your targeted network groups. These network groups can only consist of virtual networks within the scope of your network manager instance; thus, security admin rules can't apply to virtual networks not managed by a network manager.
 
 Here are some scenarios where security admin rules can be used:
 
@@ -81,25 +81,25 @@ Based on the industry study and suggestions from Microsoft, we recommend custome
 
 | **Port** | **Protocol** | **Description** |
 | --- | ---- | ------- |
-| **20** | TCP | Unencrypted FTP Traffic | 
-| **21** | TCP | Unencrypted FTP Traffic | 
-| **22** | TCP | SSH. Potential brute force attacks | 
-| **23** | TCP | TFTP allows unauthenticated and/or unencrypted traffic | 
-| **69** | UDP | TFTP allows unauthenticated and/or unencrypted traffic | 
-| **111** | TCP/UDP | RPC. Unencrypted authentication allowed | 
-| **119** | TCP | NNTP for unencrypted authentication | 
-| **135** | TCP/UDP | End Point Mapper, multiple remote management services | 
-| **161** | TCP | SNMP for unsecure / no authentication | 
-| **162** | TCP/UDP | SNMP Trap - unsecure / no authentication | 
-| **445** | TCP | SMB - well known attack vector | 
-| **512** | TCP | Rexec on Linux - remote commands without encryption authentication | 
-| **514** | TCP | Remote Shell - remote commands without authentication or encryption | 
-| **593** | TCP/UDP | HTTP RPC EPMAP - unencrypted remote procedure call | 
-| **873** | TCP | Rsync - unencrypted file transfer | 
-| **2049** | TCP/UDP | Network File System | 
-| **3389** | TCP | RDP - Common brute force attack port | 
-| **5800** | TCP | VNC Remote Frame Buffer over HTTP | 
-| **5900** | TCP | VNC Remote Frame Buffer over HTTP | 
+| **20** | TCP | Unencrypted FTP Traffic |
+| **21** | TCP | Unencrypted FTP Traffic |
+| **22** | TCP | SSH. Potential brute force attacks |
+| **23** | TCP | TFTP allows unauthenticated and/or unencrypted traffic |
+| **69** | UDP | TFTP allows unauthenticated and/or unencrypted traffic |
+| **111** | TCP/UDP | RPC. Unencrypted authentication allowed |
+| **119** | TCP | NNTP for unencrypted authentication |
+| **135** | TCP/UDP | End Point Mapper, multiple remote management services |
+| **161** | TCP | SNMP for unsecure / no authentication |
+| **162** | TCP/UDP | SNMP Trap - unsecure / no authentication |
+| **445** | TCP | SMB - well known attack vector |
+| **512** | TCP | Rexec on Linux - remote commands without encryption authentication |
+| **514** | TCP | Remote Shell - remote commands without authentication or encryption |
+| **593** | TCP/UDP | HTTP RPC EPMAP - unencrypted remote procedure call |
+| **873** | TCP | Rsync - unencrypted file transfer |
+| **2049** | TCP/UDP | Network File System |
+| **3389** | TCP | RDP - Common brute force attack port |
+| **5800** | TCP | VNC Remote Frame Buffer over HTTP |
+| **5900** | TCP | VNC Remote Frame Buffer over HTTP |
 | **11211** | UDP | Memcached |
 
 ### Management at scale
@@ -110,9 +110,44 @@ New resources are protected along with existing resources. For example, if you a
 
 When new security risks are identified, you can deploy them at scale by creating a security admin rule to protect against the new risk and applying it to your network groups. Once this new rule is deployed, all resources in the scope of the network groups will be protected now and in the future.
 
+## Nonapplication of security admin rules
+
+In most instances, security admin rules are applied to all virtual networks and subnets within the scope of a network group's applied security configuration. However, there are some services that don't apply security admin rules due to the network requirements of the service. These requirements are enforced by the service's network intent policy.
+
+### Nonapplication of security admin rules at virtual network level
+
+By default, security admin rules aren't applied to a virtual network containing the following services:
+
+- [Azure SQL Managed Instances](/azure/azure-sql/managed-instance/connectivity-architecture-overview#mandatory-security-rules-with-service-aided-subnet-configuration)
+- Azure Databricks  
+
+When a virtual network contains these services, the security admin rules skip this virtual network. If you want *Allow* rules applied to this virtual network, you create your security configuration with the `AllowRulesOnly` field set in the [securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices](/dotnet/api/microsoft.azure.management.network.models.networkintentpolicybasedservice?view=azure-dotnet) .NET class. When set, *Allow* rules in your security configuration will be applied to this virtual network. All *Deny* rules will not be applied on this virtual network. Virtual networks without these services can continue using *Allow* and *Deny* rules. 
+
+You can create a security configuration with *Allow* rules only and deploy it to your virtual networks with [Azure PowerShell](/powershell/module/az.network/new-aznetworkmanagersecurityadminconfiguration#example-1) and [Azure CLI](/cli/azure/network/manager/security-admin-config#az-network-manager-security-admin-config-create-examples).
+
+> [!NOTE]
+> When multiple Azure Virtual Network Manager instances apply different settings in the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` class to the same virtual network, the setting of the network manager instance with the highest scope will be used.
+> Let's say you have two virtual network managers. The first network manager is scoped to the root management group and has a security configuration with set to *AllowRulesOnly* in the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` class. The second virtual network manager is scoped to a subscription under the root management group and uses the default field of *None* in it's security configuration. When both configurations apply security admin rules to the same virtual network, the *AllowRulesOnly* setting will be applied to the virtual network.
+
+### Nonapplication of security admin rules at subnet level
+
+Similarly, there are some services that don't apply security admin rules at the subnet level when those subnets' virtual networks are a part of a network group targeted by a security admin configuration. Those services include:
+
+- Azure Application Gateway
+- Azure Bastion
+- Azure Firewall
+- Azure Route Server
+- Azure VPN Gateway
+- Azure Virtual WAN
+- Azure ExpressRoute Gateway
+
+> [!NOTE]
+> If you want to apply security admin rules on subnets containing an Azure Application Gateway, ensure each subnet only contains gateways that have been provisioned with [network isolation](../application-gateway/application-gateway-private-deployment.md) enabled. If a subnet contains an Azure Application Gateway without network isolation, security admin rules won't be applied to this subnet.
+
 ## Security admin fields
 
 When you define a security admin rule, there are required and optional fields. 
+
 ### Required fields
 
 #### Priority
diff --git a/articles/virtual-network-manager/faq.md b/articles/virtual-network-manager/faq.md
@@ -87,17 +87,17 @@ You can view Azure Virtual Network Manager settings under **Network Manager** fo
 
 Should a regional outage occur, all configurations applied to current resources managed persist, and you can't modify existing configurations, or create new configuration.
 
-### Can a virtual network managed by Azure Virtual Network Manager be peered to a non-managed virtual network?
+### Can a virtual network managed by Azure Virtual Network Manager be peered to a nonmanaged virtual network?
 
 Yes, Azure Virtual Network Manager is fully compatible with pre-existing hub and spoke topology deployments using peering. This means that you won't need to delete any existing peered connections between the spokes and the hub. The migration occurs without any downtime to your network.
 
 ### Can I migrate an existing hub and spoke topology to Azure Virtual Network Manager?
 
-Yes, migrating existing VNets to AVNM’s hub and spoke topology is very easy and requires no down time. Customers can [create a hub and spoke topology connectivity configuration](how-to-create-hub-and-spoke.md) of the desired topology. When the deployment of this configuration is deployed, virtual network manager will automatically create the necessary peerings. Any pre-existing peerings set up by users will remain intact, ensuring there's no downtime.
+Yes, migrating existing VNets to AVNM’s hub and spoke topology is easy and requires no down time. Customers can [create a hub and spoke topology connectivity configuration](how-to-create-hub-and-spoke.md) of the desired topology. When the deployment of this configuration is deployed, virtual network manager will automatically create the necessary peerings. Any pre-existing peerings set up by users remain intact, ensuring there's no downtime.
 
 ### How do connected groups differ from virtual network peering regarding establishing connectivity between virtual networks?
 
-In Azure, VNet peering and connected groups are two methods of establishing connectivity between virtual networks (VNets). While VNet peering works by creating a 1:1 mapping between each peered VNet, connected groups use a new construct that establishes connectivity without such a mapping. In a connected group, all virtual networks are connected without individual peering relationships.  For example, if VNetA, VNetB, and VNetC are part of the same connected group, connectivity is enabled between each VNet without the need for individual peering relationships.
+In Azure, virtual network peering and connected groups are two methods of establishing connectivity between virtual networks (VNets). While virtual network peering works by creating a 1:1 mapping between each peered virtual network, connected groups use a new construct that establishes connectivity without such a mapping. In a connected group, all virtual networks are connected without individual peering relationships.  For example, if VNetA, VNetB, and VNetC are part of the same connected group, connectivity is enabled between each virtual network without the need for individual peering relationships.
 
 ### Do security admin rules apply to Azure Private Endpoints?
 
@@ -121,18 +121,22 @@ No, an Azure Virtual WAN hub isn't supported as the hub in a hub and spoke topol
 
 ### My Virtual Network isn't getting the configurations I'm expecting. How do I troubleshoot?
 
-#### Have you deployed your configuration to the VNet's region?
+#### Have you deployed your configuration to the virtual network's region?
 
 Configurations in Azure Virtual Network Manager don't take effect until they're deployed. Make a deployment to the virtual networks region with the appropriate configurations.
 
 #### Is your virtual network in scope?
 
 A network manager is only delegated enough access to apply configurations to virtual networks within your scope. Even if a resource is in your network group but out of scope, it doesn't receive any configurations.
 
-#### Are you applying security rules to a VNet containing Azure SQL Managed Instances?
+#### Are you applying security rules to a virtual network containing Azure SQL Managed Instances?
 
 Azure SQL Managed Instance has some network requirements. These are enforced through high priority Network Intent Policies, whose purpose conflicts with Security Admin Rules. By default, Admin rule application is skipped on VNets containing any of these Intent Policies. Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules. If you only wish to use Allow rules, you can set AllowRulesOnly on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`.
 
+#### Are you applying security rules to a virtual network or subnet that contains services blocking security configuration rules?
+
+Certain services such as Azure SQL Managed Instance, Azure Databricks and Azure Application Gateway require specific network requirements to function propertly. By default, security admin rule application is skipped on [VNets and subnets containing any of these services](./concept-security-admins.md#nonapplication-of-security-admin-rules). Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules by setting the security configurations' `AllowRulesOnly`field on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` .NET class.
+
 ## Limits
 
 ### What are the service limitations of Azure Virtual Network Manager?
@@ -165,7 +169,7 @@ Azure SQL Managed Instance has some network requirements. These are enforced thr
 
 * Azure Virtual Network Manager policies don't support the standard policy compliance evaluation cycle. For more information, see [Evaluation triggers](../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).
 
-* The current preview of connected group has a limitation where traffic from a connected group cannot communicate with a private endpoint in this connected group if it has NSG enabled on it. However, this limitation will be removed once the feature is generally available.
+* The current preview of connected group has a limitation where traffic from a connected group can't communicate with a private endpoint in this connected group if it has NSG enabled on it. However, this limitation will be removed once the feature is generally available.
 ## Next steps
 
 Create an [Azure Virtual Network Manager](create-virtual-network-manager-portal.md) instance using the Azure portal.
