Extend Locks to Individual Azure NSG Rules
Extend Locks to Individual Azure NSG Rules.
Large corporate environments need the flexibility to offer business units and employees Azure Development and POC environments that can still be secured but still allow flexibility to users.
Companies need to have the ability to lock down block and allow NSG rules at the 100 level so they cannot be deleted by users but still allow users the ability to add / delete / modify other rules. NSG rule locks would provide the needed flexibility and security to these types of Azure environments. In addition, Azure Policy deployIfNotExists would also be needed to make sure locks are enforced as well as being able to audit the locks. The Azure Policy aliases would have to be added after locks have been implemented.
As a note RBAC does not offer this capability at the NSG rule level but maybe it should.
If you do not understand where the security gap is and why this is being requested please comment and I can explain in more detail.
Another way to address this to support multiple NSGs per subnet. With that, we can use Azure policy to deploy the default security NSGs to every subnet. Each team can apply their own NSGs on top of that but the security baseline is enforced.