solution#48
Conversation
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Your implementation is missing a critical requirement: CHECKLIST ITEM #2 requires that all subnets allow traffic from other subnets within the virtual network, but no such rule exists in any of the three NSGs. Each NSG (webservers, management, and database) needs an inter-subnet communication rule — for example, a rule with SourceAddressPrefix set to VirtualNetwork or 10.20.30.0/24 and a priority lower than the existing Internet-facing rules. Without this rule, VMs in different subnets cannot communicate, which would break application functionality. Please add the intra-VNet allow rules to all three NSGs and update task.ps1 accordingly.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| $webRule = New-AzNetworkSecurityRuleConfig -Name "Allow-HTTP-HTTPS" -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange @("80", "443") -Access Allow | ||
| $webNSG = New-AzNetworkSecurityGroup -Name $webSubnetName -ResourceGroupName $resourceGroupName -Location $location -SecurityRules $webRule |
There was a problem hiding this comment.
Checklist item #2 requires all subnets to allow traffic from other subnets within the virtual network. This rule is missing from the webservers NSG. Add a rule with SourceAddressPrefix set to the VNet address range (10.20.30.0/24) and appropriate priority.
| $mngRule = New-AzNetworkSecurityRuleConfig -Name "Allow-SSH" -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 22 -Access Allow | ||
| $mngNSG = New-AzNetworkSecurityGroup -Name $mngSubnetName -ResourceGroupName $resourceGroupName -Location $location -SecurityRules $mngRule |
There was a problem hiding this comment.
Checklist item #2 requires all subnets to allow traffic from other subnets within the virtual network. This rule is missing from the management NSG. Add a rule with SourceAddressPrefix set to the VNet address range (10.20.30.0/24) and appropriate priority.
|
|
||
| Write-Host "Creating dbSubnet network security group..." | ||
| # Write your code for creation of management NSG here -> | ||
| $dbNSG = New-AzNetworkSecurityGroup -Name $dbSubnetName -ResourceGroupName $resourceGroupName -Location $location |
There was a problem hiding this comment.
Checklist item #2 requires all subnets to allow traffic from other subnets within the virtual network. The database NSG needs a rule to allow traffic from other subnets (10.20.30.0/24), even though it blocks Internet traffic. Consider adding an "Allow-Intra-VNet" rule to $dbNSG.
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Your implementation is approved. All requirements have been successfully met: each subnet (webservers, database, management) has its own properly named NSG, inter-subnet communication is enabled via the VirtualNetwork address prefix in all three NSGs, the webservers tier permits HTTP/HTTPS traffic from the Internet, the management tier permits SSH from the Internet, and the database tier is properly isolated with no Internet-facing rules—the implicit NSG deny rule handles blocking all external traffic. The critical inter-subnet communication issue from the previous review has been resolved, and your solution is ready for use.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
No description provided.