Custom Service Tags
wnadim92 opened this issue · 4 comments
Is your feature request related to a problem? Please describe.
A clear and concise description of the problem. E.g Provide a feature to [...], I'm looking to [...]
Within an organization, we may have numerous IPs advertised through BGP, and potentially an onprem environment. We may leverage external services as well over certain public IPs through our partners. Both of these we have to either setup inbound allow policies on our Network Security Groups, and if we have numerous subscriptions in our organization and numerous regions, appying these network security groups is not simple to make uniform and secure as we have to have this list of IPs we have to allow all the time.
Similarly if we want to setup UDRs on our subnets to those certain IPs, we have to remember them all the time, and manually assign them to our route tables on our subnets. That is a pain and can cause inconcistency.
This can only be simplified via IaC such as terraform where we publish modules and release them in each subscription.
If we can have custom service tags, it will make NSGs and route tables simpler as we can create a custom NSGS, where the NSG rules can dynamically update to the company's approved custom IP service tags. Company's IPs are constantly changing internally, just like Microsoft's Service Tags. So if we need to securely allow Microsoft Service tags as they get updated withour breaking our PaaS workloads, this will make it much smoother and more secure for organizations as well, if they can publish their own service tags for their approved resources. And when they make updates to their service tags, it gets picked up more quickly by their NSGs and route tables, rather then slowly performing releases via terraform everywhere.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Custom Service Tags for NSGs and route tables that organizations themselves can supply with their approved IPs.
Describe alternatives you have considered
A clear and concise description of any alternative solutions or features you've considered.
Terraform module registry, terraform version control per subscription per region per environment (prod/nonprod/dev) where we update our prod IPs and NonProd IPs as they get updated, so our NSGs can block communication between each other.
This is very slow and can only be solved for the aprpoved IP ranges as we release. It leaves some behind until we get to it. It's also difficult for certain subnets with their own custom NSG.
As for example, the same NSG can be re-used on multiple subnets. Similarly Route tables. And we may have custom subnets with custom NSGs not in use by other subnets, and similarly route tables.
But updating them as we need to update our approved IPs for whitelisting/blocking/UDRs statically via IPs individually is not secure.
Being able to do via custom service tags that we manage our selves makes solves so many problems.
Additional context
Add any other context or screenshots about the feature request here.
Here is Microsoft's own Service Tags which update.
https://www.microsoft.com/en-us/download/details.aspx?id=56519
Having this support for ourselves as well can simplify management and security on our resources.
Also if Vendors can publish their custom service tags on Microsoft Azure Market Place, it will also make our NSGs and UDRs more secure as well, as we don't have to come back and upate them as the Vendor updates their IPs
@wnadim92 Thank you for submitting this issue. NSGs are currently not used in Azure firewall today. This feedback will be provided to the Networking team.
Azure firewall has the IP Group feature that you may use for IP aliases today. You can find more information about Azure IP group here .
I will be closing out this issue, feel free to re-open it if you have any questions.
I posted this in the Azure Network Security page. I wasn't seeing this page is for Azure Firewall only as this is a Network Security Group request in relation to Azure Network Security. Please keep this open and provide updates on that. Please spend a little more time reading what I wrote above before closing this as an Azure Firewall request