-
Notifications
You must be signed in to change notification settings - Fork 2
Governance Policies Azure Networking Virtual Network
Governance policies for Virtual Network
Domain: azure-networking
| Name | Description |
|---|---|
| VNet with delegated subnets and NSGs | Complete VNet deployment with purpose-specific subnets, delegations, and NSGs |
| Description | Instead |
|---|---|
| Do not create subnets without NSGs | Attach an NSG to every subnet |
| Do not use a single large subnet for all services | Create purpose-specific subnets with appropriate delegations |
| Do not use /8 or /16 address spaces for POC | Use /20 or /22 for POC; plan for future growth without waste |
| Check | Severity | Description |
|---|---|---|
| AZ-VNET-001 | Required | Create Virtual Network with planned address space and purpose-specific subnets |
| AZ-VNET-002 | Required | Create Network Security Groups with explicit rules for every subnet |
| AZ-VNET-003 | Required | Use proper subnet delegation for Azure services that require it |
| AZ-VNET-004 | Required | Plan subnet sizes according to service requirements |
| AZ-VNET-005 | Recommended | Use standard naming convention for subnets: snet-{purpose} |
Create Virtual Network with planned address space and purpose-specific subnets
Severity: Required
Rationale: Address space must be planned to avoid overlap; subnets must be sized for their workload type
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworks
Create Network Security Groups with explicit rules for every subnet
Severity: Required
Rationale: NSGs provide network-level access control; every subnet must have an NSG to enforce least-privilege traffic flow
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworks
Use proper subnet delegation for Azure services that require it
Severity: Required
Rationale: Services like App Service, Container Apps, and others require subnet delegation to function correctly
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworks
Plan subnet sizes according to service requirements
Severity: Required
Rationale: App Service VNet integration needs /26 minimum; Container Apps needs /23 minimum; PE subnets need /27 minimum
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Network/virtualNetworks
Use standard naming convention for subnets: snet-{purpose}
Severity: Recommended
Rationale: Consistent naming enables automation and reduces configuration errors
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworks
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration