Suppressing NSG Rules for Subnets

[paulmccrady]

I'm trying to suppress the UseNSGs rule for a subset of subnets in a VNet.
I've tried the following spec but it doesnt work:

if:
allOf:
- field: 'type'
match: 'Microsoft.Network/virtualNetworks'
- field: 'properties.subnets.name'
contains:
- 'aks-snet'
- 'aks2-snet'
- 'aksapi-snet'

I don't want to use properties.subnet[0] etc given I do not know

a) how many subnets the VNet will always have
b) the position of the subnet within the array

How can I achieve the desired outcome?

[BernieWhite]

@paulmccrady Try something like this:

  if:
    allOf:
    - type: .
      equals: 'Microsoft.Network/virtualNetworks'
    - field: properties.subnets[*]
      allOf:
      - field: name
        contains:
        - 'aks-snet'
        - 'aks2-snet'
        - 'aksapi-snet'

[BernieWhite]

@paulmccrady The Azure.VNET.UseNSGs rule currently excludes GatewaySubnet, AzureFirewallSubnet, AzureFirewallManagementSubnet, RouteServerSubnet. If there is other cases we've missed for specific Azure services let us know.

Today this rule does not allow any configuration option to change that behaviour.

For custom subnets you might have that should not have NSGs you could configure a suppression group however an undesirable behaviour you might experience is:

• Desired If subnets that should not have NSGs configured are present and all other subnets have NSGs the rule would be suppressed.
• Undesired If subnets that should not have NSGs configured but any other subnet does not have NSGs the rule would report that both subnets that should and shouldn't have NSGs should all have NSGs.

To do this try:

---
# Synopsis: Example
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: Example
spec:
  rule:
  - PSRule.Rules.Azure\Azure.VNET.UseNSGs
  if:
    allOf:
    - type: .
      equals: 'Microsoft.Network/virtualNetworks'
    - field: properties.subnets[*]
      anyOf:
      - field: name
        contains:
        - 'aks-snet'
        - 'aks2-snet'
        - 'aksapi-snet'
      - field: properties.networkSecurityGroup.id
        hasValue: true

[BernieWhite]

@paulmccrady Did this answer the question?

[paulmccrady]

@BernieWhite no, we either get the rule suppressed for all, or for none. I think for now we will create our own rule and use the excluded subnet filter logic as per the current rule.

[BernieWhite]

@paulmccrady Would providing an option configure custom subnet (exact) names to the excluded list similar to the Microsoft ones as above address the issue?

i.e.

configuration:
  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:
  - subnet1
  - subnet2

[paulmccrady]

@BernieWhite yep - that would be great

[BernieWhite]

Raised as #2572

[BernieWhite]

@paulmccrady Separate to the feature request. Are we able to close this question as answered?