AzInitiativeAdvertizer

last sync: 2025-Sep-03 17:22:33 UTC

Enforce recommended guardrails for Network and Networking services

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Network_20250326
Display nameEnforce recommended guardrails for Network and Networking services
IdEnforce-Guardrails-Network_20250326
Version2.0.0
Details on versioning
CategoryNetwork
DescriptionThis policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Replaces PolicySet This ALZ PolicySet definition replaces [Deprecated] Enforce recommended guardrails for Network and Networking services (Enforce-Guardrails-Network)
More information on Azure Landing Zones deprecated Policy and PolicySet definitions
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 16
Builtin Policies: 9
Static Policies: 0
ALZ Policies: 7
GA: 17
1 categories:
Network: 17
Policy-used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type policy in AzUSGov
Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 Deny-AppGw-Without-Tls Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Deny or Audit service endpoints on subnets Deny-Service-Endpoints Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Enforce specific configuration of Network Security Groups (NSG) Modify-NSG Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Enforce specific configuration of User-Defined Routes (UDR) Modify-UDR Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Gateway subnets should not be configured with a network security group 35f9c03a-cc27-418e-9c0c-539ff999d010 Network Fixed
deny		 0 GA BuiltIn unknown
Management port access from the Internet should be blocked Deny-MgmtPorts-From-Internet Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Network interfaces should disable IP forwarding 88c0b9da-ce96-4b03-9635-f29a937e2900 Network Fixed
deny		 0 GA BuiltIn unknown
Network interfaces should not have public IPs 83a86a26-fd1f-447c-b59d-e51f44264114 Network Fixed
deny		 0 GA BuiltIn unknown
Subnets should have a Network Security Group Deny-Subnet-Without-Nsg Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Subnets should have a User Defined Route Deny-Subnet-Without-Udr Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Virtual networks should be protected by Azure DDoS Protection 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Network Default
Modify
Allowed
Modify, Audit, Disabled		 1 Network Contributor GA BuiltIn unknown
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users 21a6bc25-125e-4d13-b82d-2e19b7208ab7 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service 425bea59-a659-4cbb-8d31-34499bd030b8 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Roles used
History none
JSON compare n/a
JSON
EPAC