AzInitiativeAdvertizer

last sync: 2024-Sep-18 17:50:42 UTC

Enforce recommended guardrails for Network and Networking services

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Network
Display nameEnforce recommended guardrails for Network and Networking services
IdEnforce-Guardrails-Network
Version1.1.0
Details on versioning
CategoryNetwork
DescriptionThis policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy count Total Policies: 22
Builtin Policies: 15
Static Policies: 0
ALZ Policies: 7
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type
[Deprecated]: Azure firewall policy should enable TLS inspection within application rules a58ac66d-92cb-409c-94b8-8e48d7a96596 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection 711c24bb-7f18-4578-b192-81a6161e1f17 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium f516dc7a-4543-4d40-aad6-98f76a706b50 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) 6484db87-a62d-4327-9f07-80a2cbdf333a Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway 632d3993-e2c0-44ea-a7db-2eca131f356d Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn
Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 Deny-AppGw-Without-Tls Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Deny or Audit service endpoints on subnets Deny-Service-Endpoints Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Enforce specific configuration of Network Security Groups (NSG) Modify-NSG Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Enforce specific configuration of User-Defined Routes (UDR) Modify-UDR Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Gateway subnets should not be configured with a network security group 35f9c03a-cc27-418e-9c0c-539ff999d010 Network Fixed
deny		 0 GA BuiltIn
Management port access from the Internet should be blocked Deny-MgmtPorts-From-Internet Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Network interfaces should disable IP forwarding 88c0b9da-ce96-4b03-9635-f29a937e2900 Network Fixed
deny		 0 GA BuiltIn
Network interfaces should not have public IPs 83a86a26-fd1f-447c-b59d-e51f44264114 Network Fixed
deny		 0 GA BuiltIn
Subnets should have a Network Security Group Deny-Subnet-Without-Nsg Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Subnets should have a User Defined Route Deny-Subnet-Without-Udr Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Virtual networks should be protected by Azure DDoS Protection 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Network Default
Modify
Allowed
Modify, Audit, Disabled		 1 Network Contributor GA BuiltIn
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users 21a6bc25-125e-4d13-b82d-2e19b7208ab7 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service 425bea59-a659-4cbb-8d31-34499bd030b8 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Roles used
History none
JSON compare n/a
JSON
EPAC