Task 16: Implemented NSGs and attached to subnets#41
Conversation
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
This requires a few changes before it can be approved. You've done a great job setting up the NSGs and defining the rules for internet-facing traffic. However, a key requirement to explicitly allow traffic between subnets within the virtual network has not been met. Your current script relies on Azure's default rules for this, which doesn't satisfy the task's requirement for an explicit configuration.
To resolve this, please add a new security rule to each of the three NSGs (webservers, database, and management) that explicitly allows inbound traffic from the VirtualNetwork source address prefix. This change will make your infrastructure configuration clear and fully compliant with all requirements.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| $webRules = @( | ||
| New-AzNetworkSecurityRuleConfig -Name "Allow-HTTP-HTTPS-Internet" ` | ||
| -Priority 100 ` | ||
| -Direction Inbound ` | ||
| -Access Allow ` | ||
| -Protocol Tcp ` | ||
| -SourceAddressPrefix Internet ` | ||
| -SourcePortRange "*" ` | ||
| -DestinationAddressPrefix "*" ` | ||
| -DestinationPortRange @("80", "443") | ||
| ) |
There was a problem hiding this comment.
This rule set is missing a key requirement: allowing traffic from other subnets within the virtual network. While this works due to a default Azure rule, it's best practice to explicitly define all required security rules in your script. Please add a new rule to this array that allows inbound traffic from the VirtualNetwork source.
| $mngRules = @( | ||
| New-AzNetworkSecurityRuleConfig -Name "Allow-SSH-Internet" ` | ||
| -Priority 100 ` | ||
| -Direction Inbound ` | ||
| -Access Allow ` | ||
| -Protocol Tcp ` | ||
| -SourceAddressPrefix Internet ` | ||
| -SourcePortRange "*" ` | ||
| -DestinationAddressPrefix "*" ` | ||
| -DestinationPortRange "22" | ||
| ) |
There was a problem hiding this comment.
Similar to the webservers NSG, this rule set is also missing an explicit rule to allow traffic from other subnets. Please add a rule here to allow inbound traffic from the VirtualNetwork source to meet all task requirements explicitly.
| $databaseNSG = New-AzNetworkSecurityGroup -Name $dbSubnetName ` | ||
| -ResourceGroupName $resourceGroupName ` | ||
| -Location $location ` | ||
| -SecurityRules @() |
There was a problem hiding this comment.
This NSG correctly blocks internet traffic by having no explicit Allow rules from the internet. However, it still needs a rule to allow traffic from other subnets within the virtual network as per the requirements. Please add a rule configuration here to allow inbound traffic from the VirtualNetwork source.
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Excellent work on this submission! You have successfully addressed the feedback from the previous review by implementing the explicit security rule for inter-subnet traffic. All Network Security Groups and their associated rules are configured correctly, meeting all task requirements. Your solution is approved. Great job!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
No description provided.