Solution#32
Conversation
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Decision: REQUEST_CHANGES — several core requirements are missing and block successful completion.
Critical issues to fix (blocking):
-
Attach NSGs to existing subnets in an existing VNet (do not create a new VNet/subnets).
- Why: The task requires updating the existing VNet. Creating a new VNet breaks validation and does not secure the intended environment.
- How: Use
Get-AzVirtualNetwork -Name <existingVNet> -ResourceGroupName <rg>to retrieve the VNet, get subnets via$vnet.Subnets | Where-Object Name -eq 'webservers'(and others), setNetworkSecurityGroupon each subnet, thenSet-AzVirtualNetworkto save. - Tip: Do not call
New-AzVirtualNetworkor recreate subnets.
-
Add intra-VNet allow rules on all NSGs (webservers, management, database).
- Why: Required to allow inter-subnet traffic; without it, expected VNet communication is blocked.
- How: Add an inbound rule with
-SourceAddressPrefix VirtualNetwork -DestinationAddressPrefix VirtualNetwork -Access Allow -Direction Inbound -Priority <e.g., 100>for each NSG.
-
Implement idempotency.
- Why: Script must be safe to rerun without failing or duplicating resources.
- How: Use
Get-AzNetworkSecurityGroup -Name <nsg> -ErrorAction SilentlyContinueto check existence; create if missing, otherwise update rules if not present. When associating NSGs to subnets, check current association before setting.
-
Database NSG: add an explicit deny for Internet-sourced inbound traffic.
- Why: Requirement suggests explicit deny for clarity and validation, not just relying on default deny.
- How: Add a rule like
-Name 'Deny-Internet-Inbound' -SourceAddressPrefix Internet -Access Deny -Direction Inbound -Priority <higher than allow rules, e.g., 200>.
Line-level guidance (task.ps1):
- Anywhere you call
New-AzVirtualNetworkandAdd-AzVirtualNetworkSubnetConfig: replace with retrieving the existing VNet usingGet-AzVirtualNetworkand updating its subnets. - Where you create rules for webservers (HTTP/HTTPS) and management (SSH): insert an additional
VirtualNetworkallow rule above more specific rules (lower priority number, e.g., 100) for each NSG. - After NSG creation, before associating: check for existing NSGs with
Get-AzNetworkSecurityGroupand reuse/update instead of recreating. - When associating NSGs: set
($subnet).NetworkSecurityGroup = $nsgand then runSet-AzVirtualNetwork -VirtualNetwork $vnetonce per VNet.
What you did well:
- Correct use of Az cmdlets and appropriate HTTP/HTTPS and SSH rules on the right NSGs.
- Clear naming aligned with subnet roles.
Please address the above blockers and resubmit. You’re close—once you target the existing VNet, add the intra-VNet allow rules, ensure idempotency, and add the explicit deny on the database NSG, the solution should meet all requirements.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Decision: Request changes
Your script has good foundations for NSG creation and rule definition, but there are critical blockers that prevent meeting the task requirements.
Blocking issues to fix
- Incorrect VNet/subnet handling (critical): You are recreating the VNet and subnets using
New-AzVirtualNetworkandNew-AzVirtualNetworkSubnetConfiginstead of updating the existing ones. This violates the requirement to update the existing network and will fail validation.- Why: The task requires associating NSGs to the existing subnets.
- How to fix: Use
Get-AzVirtualNetwork -Name <vnetName> -ResourceGroupName <rg>to retrieve the existing VNet. Update each target subnet’s.NetworkSecurityGroupproperty (e.g.,$vnet.Subnets | Where-Object Name -eq 'webservers') to the corresponding NSG, thenSet-AzVirtualNetwork -VirtualNetwork $vnetto persist. Do not callNew-AzVirtualNetworkorNew-AzVirtualNetworkSubnetConfig. - Example:
$subnet = $vnet.Subnets | Where-Object Name -eq 'webservers'; $subnet.NetworkSecurityGroup = $webNsg; Set-AzVirtualNetwork -VirtualNetwork $vnet.
- Missing intra-VNet allow rules on all NSGs (critical): No inbound rule allowing
VirtualNetworktoVirtualNetworktraffic.- Why: Required to permit subnet-to-subnet communication and part of the checklist.
- How to fix: Add an inbound allow rule on each NSG with
-SourceAddressPrefix 'VirtualNetwork' -DestinationAddressPrefix 'VirtualNetwork' -Access Allow -Direction Inbound -Protocol * -Priority 100(ensure priority is lower number than Internet rules so it’s evaluated first as needed).
- Database NSG missing explicit Internet deny (critical): No explicit inbound deny rule for source
Internet.- Why: The requirement calls for an explicit deny to pass validation (not relying on default deny).
- How to fix: Add an inbound deny rule on the database NSG with
-SourceAddressPrefix 'Internet' -Access Deny -Direction Inbound -Protocol * -Priority 200(priority higher number than the intra-VNet allow, but before any other broader allows if present).
- Idempotency for subnet association (critical): Because you recreate the VNet/subnets, reruns are unsafe.
- How to fix: When updating the existing VNet, check if each subnet already references the correct NSG before setting it. Only call
Set-AzVirtualNetworkwhen changes are needed.
- How to fix: When updating the existing VNet, check if each subnet already references the correct NSG before setting it. Only call
What you did well
- Clear NSG creation and naming; correct Internet allow rules for web (80/443) and management (22). Artifacts are generated properly.
Please address the above items. Once you switch to updating the existing VNet via Get-AzVirtualNetwork/Set-AzVirtualNetwork, add the intra-VNet allow rules, and include the database Internet deny, your solution should meet all requirements. Keep going—you’re close!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Educational approval: You’ve made solid progress—NSGs are correctly created, named after the subnets, associated to the right subnets, and your rule creation is idempotent. Nice work using the proper Az cmdlets and keeping PowerShell 7 compatibility.
Critical fixes to address:
- Missing intra-VNet allow rules (task.ps1): Add an inbound allow with
SourceAddressPrefixVirtualNetwork,DestinationAddressPrefix*,Protocol*. Suggest priority 100 and name likeAllow-IntraVNet. This enables subnet-to-subnet traffic as required. - Database NSG lacks explicit Internet deny (task.ps1): Add an inbound
SourceAddressPrefixInternet,AccessDeny, nameDeny-Internet, priority 300. This meets the explicit deny requirement. - Rule priorities are all 100 (task.ps1): Each rule must have a unique priority. Suggested pattern: 100 (intra-VNet allow), 200/210/220 (service allows), 300 (explicit denies). This ensures correct evaluation order.
Improvements for clarity/validation:
- Split web HTTP/HTTPS into two rules (task.ps1): Use
Allow-HTTP(80) andAllow-HTTPS(443) with distinct priorities (e.g., 200 and 210) for clearer intent and validation. - Use clear, deterministic names:
Allow-IntraVNet,Allow-HTTP,Allow-HTTPS,Allow-SSH,Deny-Internet. - Resource group name: Replace
mate-azure-task-16withmate-resourcesper requirements. - Idempotent subnet association: Before calling
Set-AzVirtualNetwork, check if the subnet’sNetworkSecurityGroup.Idalready matches the NSG to avoid unnecessary updates.
You’re very close—addressing these targeted changes will bring your script to full compliance. Great job so far; keep going!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
No description provided.