Azure - Security and Network Security Group (NSG)

What a year! cannot believe it's almost December 2021. #lockdown is certainly on its way out hopefully we do not get any more mutation!

So I have been a strong proponent of #Security first in any of the cloud solutions. Always striving to achieve not just the #build part but also from #BAU perspective and make sure there is enough lifecycle built into the system to keep business continuity and at the same time achieve current industry standards on to achieve #ZeroTrust #ZeroTouch.

Today I want to focus on the challenges I received in one of the Azure controls NSG.As we are aware Az-500 certification from MS heavily talks about it and encourages the use of this control. Sharing my experience, especially leveraging it for PaaS Solutions. Limitations are documented on the website like one of the most important ones i.e Privateendpoint are immune to the NSG in Australia Central.

Despite this major limitation atm, I still leveraged the NSG in anticipation that this limitation will be removed. I implemented a broadly open NSG to capture flow logs using Traffic Analysis. This flow log will allow me to capture the IP addresses and help me tighten the ranges. 

My dreams got crushed and burnt when I learnt another #limitation after (raising an MS ticket) i.e you need to have at least one compute resource in subnet before you can see traffic analysis for NSG flow logs. One more finding was that the internal APIM PaaS service (VNET injected) was showing logs, but the ASP (Vnet injected) outgoing subnet was not showing any flow logs. 

Some comments on the NSG flow logs i.e client has to pay for NSG flow logs twice, once to log to the storage account (Network watcher) and another one for Traffic analysis logs in the Log analytics. Not sure why such a decision of this control? Why can't we have the logs in log analytics only? BTW the cost is not that high at all to burn your pockets.

Where does the above leave me with PaaS solutions and the use of NSG? I think I need to circle back on these findings and rethink this control. Please share your thoughts.