-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Networking Network Interface
Governance policies for Network Interface
Domain: azure-networking
| Name | Description |
|---|---|
| Network interface with NSG and accelerated networking | Production NIC with mandatory NSG, no public IP, and accelerated networking |
| Description | Instead |
|---|---|
| Do not deploy NICs without a Network Security Group | Always associate an NSG with every NIC or its subnet |
| Do not assign public IP addresses to NICs | Use Azure Bastion for management and internal load balancers for application access |
| Check | Severity | Description |
|---|---|---|
| AZ-NIC-001 | Required | Associate every NIC with a Network Security Group |
| AZ-NIC-002 | Required | Do not assign public IP addresses directly to network interfaces |
| AZ-NIC-003 | Recommended | Enable accelerated networking on supported VM sizes |
| AZ-NIC-004 | Recommended | Use static private IP allocation for infrastructure VMs (domain controllers, DNS servers) |
Associate every NIC with a Network Security Group
Severity: Required
Rationale: NICs without NSGs allow all inbound and outbound traffic by default
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-resource | NSG with least-privilege rules |
| Microsoft.Network/virtualNetworks/subnets | snet-resource | Target subnet |
Do not assign public IP addresses directly to network interfaces
Severity: Required
Rationale: Direct public IP assignment bypasses centralized ingress controls and exposes the VM to the internet
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/networkInterfaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/bastionHosts | bas-mgmt | For management access instead of public IPs |
| Microsoft.Network/loadBalancers | lb | For application traffic instead of public IPs |
Enable accelerated networking on supported VM sizes
Severity: Recommended
Rationale: Accelerated networking provides up to 30Gbps throughput and lower latency via SR-IOV
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces
Use static private IP allocation for infrastructure VMs (domain controllers, DNS servers)
Severity: Recommended
Rationale: Dynamic IPs can change on deallocation, breaking dependent services
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/networkInterfaces
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration