Apply NSG/ASG by default on new subnets (Azure) - azure

We manage an Azure subscription operated by several countries. Each of them is quite independant about they can do (create/edit/remove resources). A guide of good practices has been sent to them, but we (security team) would like to ensure a set of NSG is systematically applied for every new subnet/vnet created.
Giving a look to Azure Triggers, I am not sure that subnet creation belongs to the auditable events. I also was told to give a look to Azure policy, but once again I am not sure this will match our expectations which are : For every new vnet/subnet, automatically apply a set of predefined NSG.
Do you have any idea about a solution for our need ?

I have done work like this in the past (not this exact issue) and the way I solved it was with an Azure Function that walked the subscription and looked for these kinds of issues. You could have the code run as a Managed Identity with Reader rights on the subscription to report issues, or as a Contributor to update the setting. Here's some code that shows how you could do this with PowerShell https://github.com/Azure/azure-policy/tree/master/samples/Network/enforce-nsg-on-subnet
You could consider using a Policy that has a DeployIfNotExists Action, to deploy an ARM template that contains all the data for the NSG. https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources
You can get the ARM template by creating the NSG and getting the template:
GettingNSGTemplate
Note also that creating a subnet is audited, you can see it in the Activity Log for the VNet. See the screen shot.
AddingASubnet

Related

What are the minimum resource providers assigned/needed by Azure on a new subscription?

I'm working on an application that deploys and configures resources in Azure. This application will be run by clients and I have no way of knowing whether they'll create new subscriptions, or re-use older ones. Accordingly, I'm registering a set of Resource Providers (RPs) before trying to deploy anything.
As part of my testing, I've found all sorts of RPs that seems to be registered by default. Some of them (e.g. "Microsoft.Authorization" or "Microsoft.Portal") seem crucial to the smooth running of a subscription, so I am loath to start messing about with them. There are others that seem more cryptic (e.g. "Microsoft.Features").
Here's the full list I get when creating a new subscription in Azure today:
Microsoft.ADHybridHealthService
Microsoft.Advisor
Microsoft.AlertsManagement
Microsoft.Authorization
Microsoft.Billing
Microsoft.Cdn
Microsoft.ClassicSubscription
Microsoft.Commerce
Microsoft.Consumption
Microsoft.ContainerRegistry
Microsoft.CostManagement
Microsoft.DocumentDB
Microsoft.Features
Microsoft.GuestConfiguration
microsoft.insights (NB: it has this casing in the portal too)
Microsoft.MarketplaceOrdering
Microsoft.PolicyInsights
Microsoft.Portal
Microsoft.ResourceGraph
Microsoft.ResourceHealth
Microsoft.Resources
Microsoft.Security
Microsoft.SerialConsole
Microsoft.ServiceBus
Microsoft.Sql
Microsoft.Storage
microsoft.support (NB: another with odd casing)
Microsoft.Web
I've no idea if this is standard or can be relied upon. Does it change, for instance, depending on the type of subscription? Or where I'm based?
And which ones are needed? I'm pretty certain my subscription will continue to function without the Service Bus, but what about Billing? (I presume it won't make things free...)
To save me having to do a load of trial and error, is there a definitive, canonical list anywhere of the RPs needed for Azure to work properly? Or even just a canonical list of those included on a new subscription by default.
When ever a new Azure Subscription account is created , list of few Resource providers are available by default.
Some are Registered and some are NotRegistered
I have checked with free and pay-as-you-go Azure Subscriptions, the list of Registered Providers are different for each subscription
Ex: I can see the Microsoft.ServiceBus as Registered in Pay-as-you-go Subscription and as NotRegistered in Free Azure Subscription
In Pay-as-you-go Subscription
In Free Trial Subscription
To list out the available Resource Providers have a look at Available Resource providers
Also refer How to Enable Azure Resource Providers and Azure Resource Providers for more information

How to add a new resource to an existing resource group in Terraform

This would appear to be a fairly simple and basic scenario but I'm frankly at a loss on how to get around this using Terraform and would appreciate any suggestions.
The issue is this. In Azure, I have a number of resource groups, each containing a number of resources, including virtual networks, subnets, storage accounts, etc. What I would now like to do is add new resources to one or two of the resource groups. Typical example, I would like to provision a new virtual machine in each of the resource groups.
Now, so far all of the documentation and blogs I seem to come across only provide guidance on how to create resources whereby you also create a new resource group, vnet, subnet, from scratch. This is definitely not what I wish to do.
All I'm looking to do is get Terraform to add a single virtual machine to an existing resource group, going on to configure it to connect to existing networking resources such as a VNet, Subnet, etc. Any ideas?
I tested for ECS by destroying the launch configuration.
terraform destroy -target module.ecs.module.ec2_alb.aws_launch_configuration.launchcfg
I recreated the launch configuration and it worked:
terraform plan -target=module.ecs.module.ec2_alb.aws_launch_configuration
terraform apply -target=module.ecs.module.ec2_alb.aws_launch_configuration
Also, you can go read more on Terraform target here: https://learn.hashicorp.com/tutorials/terraform/resource-targeting
If you just want to be able to reference your existing resources in your TF script, you normally would use data sources in TF to fetch their information.
So for resource group, you would use data source azurerm_resource_group, for vnet there is azurerm_virtual_network and so forth.
These data sources would allow you to only reference and get details of existing resources, not to manage them in your TF script. Thus if you would like to actually manage these resources using TF (modify, delete, etc), you would have to import them first to TF.

Tag a Managed Resource Group for Azure Databricks

Given that managed resource groups are mandatory for creating an Azure Databricks cluster, is there any way that I can tag the resource group in order to comply with the tagging policy on my subscription?
I am using the template here to deploy my resources.
Based on the post I found:,
Since Feb 10 2020, the Databricks resource will propagate any tags applied to the Databricks resource to the managed resources it created.
I think the solution is more simpler now by tagging Databricks resource directly.
Hope this answer (by others) works for everyone seeing this post.
Any tags that you use when creating the Databricks workspace will be used for the managed resource group as well so just make sure you add the needed tags to the workspace when creating it. I know this works when creating the workspace from the Azure Portal but I can't see any reason this wouldn't work when using ARM templates (or Terraform for that matter).
Also, I'm also pretty sure that future changes will be propagated to said resource group.

How Can I Recursively Compare Azure Resource Groups?

I have one resource group that I set up with the portal and another that I tried to configure the same way using Terraform.
Each group contains
Application Gateway with Web App Firewall
Virtual networks and subnets
VMs and associated storage
Public IPs, NSGs, NIC etc
Is there a way for me to compare the two sets of configurations?
For you, I assume you want to create the same resources with the same configurations in another group through Terraform. On my side, there are not many things you need to care about. Just according to the configuration of the resources to create the terraform script.
each resource region
the public IP and the NIC allocation method
NSG rules
vnet and the subnet address prefix
application gateway properties and the rules
The above points are that I think you need to care about. And the properties of the resources in Terraform also need to according to. I think there is no other way to compare two sets of configurations. If you really want, you can compare the template of each group when you create them. The group template shows below:
No, i dont think there is a reasonable straight forward way of doing this, you can create a powershell script that would get resources in each resource group and then try and compare properties, but its hard to give some sort of estimation how accurate it would be, there is a Compare-Object cmdlet in powershell, which might help you with that.

AKS template creates new resource groups

When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)

Resources