Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Behavior of the built-in policy “Azure AI Services resources should restrict network access”. #1384

Open
wada10 opened this issue Sep 26, 2024 · 0 comments
Open

Behavior of the built-in policy “Azure AI Services resources should restrict network access”. #1384

wada10 opened this issue Sep 26, 2024 · 0 comments

Comments

@wada10
Copy link

wada10 commented Sep 26, 2024

■Details of the scenario you tried and the problem that is occurring

Based on the description of the policy for restricting network access in the Azure AI service below, “When network access is restricted, only authorized networks will be able to access the service”, I thought that the policy will be compliant when the network configuration is the selected network configuration.

URL : List of built-in policy definitions - Azure Policy | Microsoft Learn

Name(Azure portal) | Azure AI Services resources should restrict network access
Description | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.
Effect(s) | Audit, Deny, Disabled
Version(GitHub) | 3.2.0

However, in actual operation, “Microsoft.Search/searchServices” is in a non-compliant state.
I understand that this policy works under the following conditions, but I believe the Japanese Ver description does not explain the details of how this policy works well.

・Compliant if CognitiveServices/accounts public network access is not “disabled” and networkAcls is not “denied”.
・Compliant if public network access for Microsoft.Search/searchServices is not “disabled

Additionally, although listed as an Azure AI service resource, resource types such as “Microsoft.BotService/botServices” are not covered by this policy, and as stated in the policy name of the policy in question, it would be better to have a policy that covers all “Azure It would be more convenient to have a policy that covers all “Azure AI Services resources” as stated in the policy name of the policy.

We also checked other embedded policies and found none that would be compliant if the selected network were configured.

■Verbose logs showing the problem
N/A

■Suggested solution to the issue

・Modify the description in the policy to explain how the current policy works.
・Publish a built-in policy that restricts network access for all Azure AI Services resources (also compliant for selected IP address situations) or publish a built-in policy that restricts network access for each resource type.

■If policy is Guest Configuration - details about target node
N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wada10