{"id":20697401,"url":"https://github.com/epomatti/azure-vnet-security","last_synced_at":"2026-03-05T20:47:23.136Z","repository":{"id":208891186,"uuid":"722385857","full_name":"epomatti/azure-vnet-security","owner":"epomatti","description":"Azure Virtual Network (VNET) security settings","archived":false,"fork":false,"pushed_at":"2025-05-18T19:01:52.000Z","size":77,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-07-20T10:42:14.959Z","etag":null,"topics":["application-security-group","appservice","asg","azure","azure-security","connection-monitor","load-balancer","sql-managed-instances","terraform","vnet"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-23T03:11:35.000Z","updated_at":"2025-05-18T19:01:56.000Z","dependencies_parsed_at":"2023-11-23T21:22:31.426Z","dependency_job_id":"4c5e5b05-1d17-420f-8d7d-3040d81dcd21","html_url":"https://github.com/epomatti/azure-vnet-security","commit_stats":null,"previous_names":["epomatti/azure-vnet-subnet-delegation"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/azure-vnet-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-vnet-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-vnet-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-vnet-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-vnet-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/azure-vnet-security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-vnet-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30149845,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T16:58:46.102Z","status":"ssl_error","status_checked_at":"2026-03-05T16:58:45.706Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security-group","appservice","asg","azure","azure-security","connection-monitor","load-balancer","sql-managed-instances","terraform","vnet"],"created_at":"2024-11-17T00:17:52.265Z","updated_at":"2026-03-05T20:47:23.118Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure VNET Security\n\nThis exercise will demonstrate deployability of resources based on subnet status.\n\nCreate the variables file:\n\n```sh\ncp config/template.tfvars .auto.tfvars\n```\n\nSet your public IP address in the `allowed_source_address_prefixes` variable using CIDR notation:\n\n```sh\n# allowed_source_address_prefixes = [\"1.2.3.4/32\"]\ncurl ifconfig.io/ip\n```\n\nCreate the keys:\n\n```sh\nmkdir -p keys \u0026\u0026 ssh-keygen -f keys/temp_rsa\n```\n\nCheck for updated agent versions:\n\n```sh\n# Identify latest version of Network Watcher extension for Linux.\naz vm extension image list --name 'NetworkWatcherAgentLinux' --publisher 'Microsoft.Azure.NetworkWatcher' --latest --location 'eastus2'\n```\n\nCreate the base resources:\n\n\u003e [!NOTE]\n\u003e Request might fail if there is already a Network Watched created for the region. Adapt accordingly.\n\n```sh\nterraform init\nterraform apply -auto-approve\n```\n\n## Network Monitor\n\nTo enabled advanced monitoring capabilities, such as the [Connection Monitor][2], use the [Network Watcher Agent][1].\n\nThis project already installs the agent by default.\n\nYou can enable the Connection Monitor from the Azure Monitor Insights section for the Network blade.\n\n## Azure VNET Subnet Delegation\n\nThe following subnets will be created within the VNET:\n\n| Subnet | Is empty? | Service Endpoint | Subnet Delegation |\n|-|-|-|-|\n| Subnet001 | No  | - | - |\n| Subnet002 | Yes | `Microsoft.Storage` | - |\n| Subnet003 | Yes | - | `Microsoft.Sql/managedInstances` |\n| Subnet004 | Yes | - | `Microsoft.Web/serverFarms` |\n| Subnet005 | Yes | - | - |\n\nThe results are interesting when looking at `Subnet003`.\n\nWhen integrating services to subnets, we get different outputs:\n\n| Service | Subnet 1 | Subnet 2 | Subnet 3 | Subnet 4 | Subnet 5 |\n|-|-|-|-|-|-|\n| App Service | ❌ | ✅ | ❌ | ✅ | ✅ |\n| SQL MAnaged Instance | ❌ | ✅ | ✅ | ✅ | ✅ |\n\nRequirements for **App Service**:\n\n\u003e [!TIP]\n\u003e Subnet must have the right delegation and **_also_** be empty\n\n\u003cimg src=\".assets/webapp.png\" /\u003e\n\nRequirements for SQL Managed Instance:\n\n\u003cimg src=\".assets/sqlmanagedinstance.png\" /\u003e\n\n## Application Security Group (ASG)\n\n\u003e All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named _AsgWeb_ is in the virtual network named _VNet1_, then all subsequent network interfaces assigned to _ASGWeb_ must exist in _VNet1_. You can't add network interfaces from different virtual networks to the same application security group.\n\nHere're some commands to test [ASGs][3].\n\nAlthough not mentioned explicitly, you cannot use an ASG created in a different region.\n\n```sh\n# Creating in different regions to test compatibility\n\n# You can add this one\naz network asg create -g rg-test001 -n asg-test001-eastus2 -l eastus2\n\n# You CANNOT add this one as it is from a different region\naz network asg create -g rg-test001 -n asg-test001-brazilsouth -l brazilsouth\n```\n\n## Service Tags\n\nVerify the effectiveness of the `Internet` service tag via NSG.\n\nConfirm the network resolution route:\n\n```sh\n# Verify that the IP is private (10.*.*.*)\ndig stnsgflowlogs1238casdf.blob.core.windows.net\n```\n\nConfirm that normal internet route services are working:\n\n```sh\n# This should work\ncurl https://www.google.com\n```\n\nTest the connection via private route to the storage:\n\n```sh\n# This should fail\ncurl https://stnsgflowlogs1238casdf.blob.core.windows.net\n```\n\nIf you enable the ASG permission, it is possible to allow the communication.\n\nThis demonstrates that the `Internet` tag is exclusively to public addresses and does affect virtual network connectivity.\n\n\n## Load Balancer\n\n\u003e [!CAUTION]\n\u003e Azure Load Balancer of `Basic` SKU is being discontinued. Use or migrate to `Standard`.\n\n\u003e [!TIP]\n\u003e With public IP `Standard`, public access needs to be allowed in the Network Security Group (NSG).\n\n\n\n---\n\n### Clean up the resources\n\nDestroy the resources after using it:\n\n```sh\nterraform destroy -auto-approve\n```\n\n\n[1]: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-linux\n[2]: https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview\n[3]: https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Fazure-vnet-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Fazure-vnet-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Fazure-vnet-security/lists"}