Solution#31
Conversation
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Decision: REQUEST_CHANGES — critical blockers remain that prevent meeting core requirements and likely cause validation failure.
Why: The script misses required rules and targets the wrong resources, violating checklist items 1.3, 1.6, and 2.3. These are critical blockers, not minor issues.
Critical issues to fix:
-
Intra-VNet allow rules missing (Requirement 1.3)
- Add an inbound allow rule on each NSG (
webservers,management,database) with:Source:VirtualNetwork(service tag)Destination:VirtualNetworkor*Protocol:*DestinationPortRange:*Access:AllowPriority: lower (e.g., 100-200) than any deny rules.
- Example:
New-AzNetworkSecurityRuleConfig -Name Allow-IntraVNet -Access Allow -Protocol * -Direction Inbound -Priority 110 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * - Point of failure: in
task.ps1, there is no rule using theVirtualNetworktag for any NSG.
- Add an inbound allow rule on each NSG (
-
Database NSG must deny all inbound Internet traffic (Requirement 1.6)
- Add an explicit inbound deny rule on the
databaseNSG:Source:InternetProtocol:*DestinationPortRange:*Access:DenyPriority: higher number than allows (e.g., 300).
- Example:
New-AzNetworkSecurityRuleConfig -Name Deny-Internet-All -Access Deny -Protocol * -Direction Inbound -Priority 300 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * - Point of failure:
task.ps1defines no explicit deny on the database NSG.
- Add an explicit inbound deny rule on the
-
Update existing VNet and subnets rather than creating new ones (Requirement 2.3)
- Replace VNet/subnet creation with retrieval and update:
$vnet = Get-AzVirtualNetwork -Name <existingVnetName> -ResourceGroupName <rg>- Get existing subnets:
$subnet = $vnet.Subnets | Where-Object Name -eq 'webservers'(repeat formanagement,database). - Associate NSGs:
$subnet.NetworkSecurityGroup = $webNsg; Set-AzVirtualNetwork -VirtualNetwork $vnet.
- Point of failure: current script creates a new VNet and subnets and attaches NSGs to those new subnets.
- Replace VNet/subnet creation with retrieval and update:
-
Set explicit priorities for all rules (Requirement 2.6)
- Ensure ordering: intra-VNet allow (e.g., 110), specific Internet allows (web: 120/130; mgmt: 120), and denies (database Internet deny at 300). Avoid overlaps and duplicate priorities.
-
Idempotency (Requirement 3.7)
- Add checks before creating resources and rules:
- Use
Get-AzNetworkSecurityGroupto reuse existing NSGs if they exist. - Before adding a rule, check
SecurityRules.Nameand update if needed. - When associating NSGs to subnets, only set/commit if the association differs.
- Use
- Add checks before creating resources and rules:
-
Artifacts completeness
- Generate and include
result.jsonif required by your pipeline/validation scripts.
- Generate and include
Minor improvements (optional):
- Consider explicit Internet deny rules on
webservers/managementfor non-HTTP(S)/SSH if validation expects them. - Add basic error handling (
try/catch) and parameterize names/locations.
You’re close—your use of Az cmdlets and the basic NSG setup is solid. Address the above items and you should pass validation. If you share the existing VNet/subnet names, I can help sketch the exact cmdlet sequence to update them safely.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| $AllowHTTPandHTTPS = New-AzNetworkSecurityRuleConfig ` | ||
| -Name "http-rule" ` | ||
| -Description "Allow HTTP and HTTPS traffic from the Internet" ` | ||
| -Access Allow ` | ||
| -Protocol Tcp ` | ||
| -Direction Inbound ` | ||
| -Priority 200 ` | ||
| -SourceAddressPrefix Internet ` | ||
| -SourcePortRange * ` | ||
| -DestinationAddressPrefix * ` | ||
| -DestinationPortRange 80, 443 | ||
|
|
||
| $webserversNSG = New-AzNetworkSecurityGroup ` | ||
| -Name $webSubnetName ` | ||
| -ResourceGroupName $resourceGroupName ` | ||
| -Location $location ` | ||
| -SecurityRules $AllowHTTPandHTTPS |
There was a problem hiding this comment.
You are missing an intra-VNet allow rule for the webservers NSG. Each NSG must have a rule that allows traffic from the 'VirtualNetwork' service tag (intra-VNet traffic) as required by checklist item 1.3.
| $AllowSSH = New-AzNetworkSecurityRuleConfig ` | ||
| -Name "ssh-rule" ` | ||
| -Description "Allow only SSH traffic from the Internet" ` | ||
| -Access Allow ` | ||
| -Protocol Tcp ` | ||
| -Direction Inbound ` | ||
| -Priority 200 ` | ||
| -SourceAddressPrefix Internet ` | ||
| -SourcePortRange * ` | ||
| -DestinationAddressPrefix * ` | ||
| -DestinationPortRange 22 | ||
|
|
||
| $ManagementNSG = New-AzNetworkSecurityGroup ` | ||
| -Name $mngSubnetName ` | ||
| -ResourceGroupName $resourceGroupName ` | ||
| -Location $location ` | ||
| -SecurityRules $AllowSSH |
There was a problem hiding this comment.
You are missing an intra-VNet allow rule for the management NSG. Each NSG must have a rule that allows traffic from the 'VirtualNetwork' service tag (intra-VNet traffic) as required by checklist item 1.3.
| $DataBaseNSG = New-AzNetworkSecurityGroup ` | ||
| -Name $dbSubnetName ` | ||
| -ResourceGroupName $resourceGroupName ` | ||
| -Location $location | ||
|
|
There was a problem hiding this comment.
You are missing both an intra-VNet allow rule and an explicit deny rule for Internet-sourced traffic for the database NSG. The database NSG must deny all inbound Internet traffic and allow intra-VNet traffic as per requirements 1.3 and 1.6.
No description provided.