AzInitiativeAdvertizer

last sync: 2025-Apr-30 18:25:10 UTC
this is the development/test site - data is not accurate. Go to prod

Enforce recommended guardrails for Network and Networking services

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Network
Display nameEnforce recommended guardrails for Network and Networking services
IdEnforce-Guardrails-Network
Version1.2.0
Details on versioning
CategoryNetwork
DescriptionThis policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 22
Builtin Policies: 15
Static Policies: 0
ALZ Policies: 7
Deprecated: 6
GA: 16
1 categories:
Network: 22
Policy-used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type policy in AzUSGov
[Deprecated]: Azure firewall policy should enable TLS inspection within application rules a58ac66d-92cb-409c-94b8-8e48d7a96596 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection 711c24bb-7f18-4578-b192-81a6161e1f17 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium f516dc7a-4543-4d40-aad6-98f76a706b50 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) 6484db87-a62d-4327-9f07-80a2cbdf333a Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway 632d3993-e2c0-44ea-a7db-2eca131f356d Network Default
Disabled
Allowed
Audit, Deny, Disabled		 0 Deprecated BuiltIn unknown
Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 Deny-AppGw-Without-Tls Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Deny or Audit service endpoints on subnets Deny-Service-Endpoints Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Enforce specific configuration of Network Security Groups (NSG) Modify-NSG Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Enforce specific configuration of User-Defined Routes (UDR) Modify-UDR Network Default
Modify
Allowed
Modify, Disabled		 1 Network Contributor GA ALZ
Gateway subnets should not be configured with a network security group 35f9c03a-cc27-418e-9c0c-539ff999d010 Network Fixed
deny		 0 GA BuiltIn unknown
Management port access from the Internet should be blocked Deny-MgmtPorts-From-Internet Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Network interfaces should disable IP forwarding 88c0b9da-ce96-4b03-9635-f29a937e2900 Network Fixed
deny		 0 GA BuiltIn unknown
Network interfaces should not have public IPs 83a86a26-fd1f-447c-b59d-e51f44264114 Network Fixed
deny		 0 GA BuiltIn unknown
Subnets should have a Network Security Group Deny-Subnet-Without-Nsg Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Subnets should have a User Defined Route Deny-Subnet-Without-Udr Network Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Virtual networks should be protected by Azure DDoS Protection 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Network Default
Modify
Allowed
Modify, Audit, Disabled		 1 Network Contributor GA BuiltIn unknown
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users 21a6bc25-125e-4d13-b82d-2e19b7208ab7 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service 425bea59-a659-4cbb-8d31-34499bd030b8 Network Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Roles used
History none
JSON compare n/a
JSON
EPAC