Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add APIM Policies #377

Open
wants to merge 83 commits into
base: main
Choose a base branch
from
Open

Add APIM Policies #377

wants to merge 83 commits into from

Conversation

marvinbuss
Copy link
Contributor

@marvinbuss marvinbuss commented Feb 28, 2023
edited
Loading

Summary of the Pull Request

  • Add APIM Policies according to documented gaps
  • Add policy to deny public network access
  • Add policy to deny PIP assignment to APIM
  • Add policy for cross-tenant pes

PR Checklist

Validation Steps Performed

krnese and others added 30 commits February 11, 2023 20:38
@krnese
wave #1
48d3517
@krnese
adding AKS
94190f5
@krnese
added defender options
059355c
@krnese
adding mySql and other minor updates
229e143
@krnese
update
8c4073e
@krnese
backup completeness
3b22840
@krnese
update + event grid
0c8560a
@krnese
adding Azure Data Explorer
94334ad
@krnese
Merge branch 'main' of https://github.com/Microsoft/industry into sec…
5be96ed 
…ure-by-default
@krnese
minor update
9166485
@krnese
adding rbac
df05b72
@krnese
formatting
574e1fd
@krnese
adding ARM template for compliant services
79379e3
@krnese
v2 refresh
2c6e64a
@krnese
optimizing dependency
a3753cc
@krnese
adding policies
a39e47f
@krnese
dns update
08a9e98
@krnese
Update hubspoke-connectivity.json
f2ad5aa
@krnese
Update industryArmV2.json
3e21181
@krnese
Update hubspoke-connectivity.json
c09a723
@krnese
Update fsiPortalV2.json
c620c58
@krnese
Update industryArmV2.json
048f763
@krnese
adding EH for data export
ba79a04
@krnese
Compliant network policySet
9e256de
@krnese
prevent ssh and rdp from internet to network
e1b3181
@krnese
erDiag
0f37ba3
@krnese
updated data export with description
b8a31a5
@krnese
adding sub for ingress and egress
3e9a2ed
@krnese
adding assignments
6f65fb1
@krnese
name lenght
f9b4b92
krnese
krnese reviewed Mar 2, 2023
View reviewed changes
...e/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json
},
{
"anyOf": [
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would this work with the custom policy we have already included ("API Management services should use a virtual network")?

Copy link
Contributor Author

@marvinbuss marvinbuss Mar 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is more restricted and enforces to host the instance in Internal mode instead of allowing both Internal and External. I am assuming that by default the APIM instances in Corp should not be accessible from the internet. See link here.
If external access should be used they can host APIM in Internal mode and connect it to an App GW.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have to distinguish at this level? Remember that this policySetDefinition will be assigned broadly at the LZ scope and apply to both cloud-native and corp connected. @victorar - any input from your PoV wrt to the other policies we have for APIM related to networking?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will follow your guidance and understand the concerns.
If we enforce this for corp and online Landing Zones, we should still be fine. Corp use-cases will then be able to rely on private endpoints whereas online landing zones can use an App GW with WAF and Public IP to accept public traffic.
Looking forward to your input @victorar and will remove it if it is too restrictive.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please let me know how to continue here.

@marvinbuss
Copy link
Contributor Author

image

krnese and others added 12 commits March 2, 2023 12:26
@krnese
updated compliant services
bc3f143
@marvinbuss
Merge branch 'secure-by-default' into marvinbuss/apim_policies
57e6039
@krnese
adding AVD
b83d705
@marvinbuss
Merge branch 'secure-by-default' into marvinbuss/apim_policies
287bb68
@krnese
Centralized logging initiative
c45e024
@krnese
added diag to storage account
3082de5
@krnese
naming convention for storage
30abbf9
@marvinbuss
Update effect to audit
2968413
@marvinbuss
Merge branch 'marvinbuss/apim_policies' of https://github.com/microso…
ebdd10c 
…ft/industry into marvinbuss/apim_policies
@krnese
default identity sub behavior
3ccbb5f
@marvinbuss
Add Azure Storage Policies (#375)
57e8a4e 
* Add Azure Storage Policies

* Fix minor bug

* Update type

* Add policy for CORS rules

* Add policy for CMK for encryption scopes

* Remove policy for encryption scope

* Update display name

* Add list of allowed values for policy definition

* Update policy for encryption

* Add policy assignments

* Removed policy for cross tenant PEs

* Add missing parameters

* Update mg name
@krnese
update sequencing
e540358
Base automatically changed from secure-by-default to main March 3, 2023 19:38
@marvinbuss marvinbuss changed the base branch from main to secure-by-default March 4, 2023 13:34
@marvinbuss marvinbuss changed the base branch from secure-by-default to main March 4, 2023 13:34
@marvinbuss
Copy link
Contributor Author

Ready to be merged
image

@marvinbuss marvinbuss requested a review from krnese March 4, 2023 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krnese krnese Awaiting requested review from krnese

At least 1 approving review is required to merge this pull request.

Assignees

@marvinbuss marvinbuss

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marvinbuss @krnese @uday31in