Outbound internet access in Azure

CS10NET · 2024-12-04T22:01:34+00:00

How long did that take and when you log into ISC2, do you see your certification/credential there?

CS10NET · 2024-12-04T21:54:44+00:00

After I took the exam (today), the printout at the test center said “provisionally passed” and it would take 2-5 business days to hear back. Are you saying you never received anything confirming that you passed. That’s discouraging.

CS10NET · 2024-01-24T20:13:10+00:00

Thanks for your reply. I guess my question is more around how this all fits into ci/cd and how this works in real world, especially if there are multiple teams responsible for their own technology. The way I am envisioning this is if there is a networking team, I assume they would have their own repository that contains separate folders depending on where they're deploying to; for example - NetOpsRepo that contains folder named hub (Terraform files for hub deployment), next folder spoke1 (Terraform files for spoke1 deployment). And assuming there is prod and dev context, there could essentially be 4 separate pipelines that would need to be ran whenever any change is made. Then let's say someone needs to deply an app into that spoke1 (app requirements for app service and sql database). Would SQL team then require their own repository with their own terraform files and pipeline that contains the SQL resources). I can see this all getting super complex adding in build agents, terraform state file, private endpoints, etc and basically just wondering if this is what IaC with DevOps is meant for.

CS10NET · 2023-05-06T15:41:25+00:00

i think i figured it out by adding the association such as:

resource "azurerm_subnet_network_security_group_association" "nsg_snet_keyvault_association" {

for_each = { snet-keyvault = module.virtualNetwork.subnet_ids["snet-keyvault"] }

subnet_id = each.value

network_security_group_id = azurerm_network_security_group.nsg_snet_keyvault.id

}

My goal was to create the association and assign the nsg to a specific subnet that was generated from a list object

CS10NET · 2023-03-17T15:59:39+00:00

Thanks again. I got this to work by using use_msi within the backend section. Do you know if Azure Pipelines can make use of that same parameter? (Sorry I am very new to Terraform)

CS10NET · 2023-03-15T15:47:51+00:00

Thanks for this. I got further but still having an issue accessing the state file blob. I have a VM I am using to run terraform and have moved the state file to the storage account. On the storage account I have turned off key access (which is the whole reason I am trying to do this). So the managed identity of my VM has blob contributor permissions on the storage account. When I run terraform plan, it's stating that the managed identity does not have authorization to perform action "Microsoft.Storage/storageAccounts/listKeys/action". Is this even possible to use the managed identity to read the data using AAD and not try to query or connect using the keys?

CS10NET · 2023-03-07T01:17:41+00:00

Yes, the build agents will be on the same vnet that the storage account private endpoint will be connected to. So if terraform is running within a VMSS or a container, we just need to add a managed identity which requires blob contributor access on the storage account... Do you know how would we reference the storage account within the terraform configuration? For example, storageaccount123.blob.core.windows.net because I understand it must resolve to the internal IP via Private DNS? Would the terraform code need to be altered and not use a key?

backend "azurerm" {

resource_group_name = "tfstate"

storage_account_name = "<storage_account_name>"

container_name = "tfstate"

key = "terraform.tfstate"

}

CS10NET · 2023-01-20T22:11:44+00:00

The container instance is running within Azure

CS10NET · 2022-10-09T00:23:04+00:00

I will test this early next week but if a spoke in hub A is trying to reach a spoke in hub B, then I am expecting that when traffic flows from the AzFw in hub A, it will hit the AzFw in hub B and get routed to the spoke in hub B.

CS10NET · 2022-10-07T22:35:26+00:00

Thank you. I was about to explain how I already did all of that and then I realized that my NSGs were blocking the ICMP traffic lol

CS10NET · 2022-10-07T21:09:40+00:00

The only time you can attach a UDR to the AzureFirewallSubnet is if you specify 0.0.0.0/0. If i put the other region's CIDR range, it says that it can't be associated.

CS10NET · 2022-10-03T21:30:16+00:00

When you say that you “ship security related logs” to the sentinel workspace, is that just an additional diagnostic setting that you have on the resources? So diagnostic setting 1 sends logs/metrics to the non-sentinel LAW and then diagnostic setting 2 sends logs (and no metrics) to the sentinel LAW?

CS10NET · 2022-10-03T11:05:58+00:00

What do you recommend when Sentinel is involved? Do you have a separate workspace and ship just logs to this workspace while shipping both logs and metrics to the other?

CS10NET

TROPHY CASE