Network security groups support for private endpoints

Hi!

Network security groups (NSGs) support for private endpoints is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

Enable Network Policy:

  1. Sign-in to the Azure portal.
  2. In the search box at the top of the portal, enter Virtual network. Select Virtual networks.
  3. Select myVNet.
  4. In settings of myVNet, select Subnets.
  5. Select the default subnet.
  6. In the properties for the default subnet, select Enabled in NETWORK POLICY FOR PRIVATE ENDPOINTS.
  7. Select Save.
Maxime.

Two news alerts for Microsoft Defender for KeyVault (AKV)

Hi!

In this article, I will share with you two news alerts released in June 2022 for Microsoft Defender for KeyVault.

Alert (alert type)DescriptionMITRE tacticsSeverity
Unusual access denied – User accessing high volume of key vaults denied
(KV_DeniedAccountVolumeAnomaly)		A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations.DiscoveryLow
Unusual access denied – Unusual user accessing key vault denied
(KV_UserAccessDeniedAnomaly)		A key vault access was attempted by a user that doesn’t normally access it, this anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it.Initial Access, DiscoveryLow

Maxime.

AKS | Start and Stop Node Pool

Hi!

Your AKS workloads may not need to run continuously, for example a development cluster that has node pools running specific workloads. To optimize your costs, you can completely turn off (stop) your node pools in your AKS cluster, allowing you to save on compute costs.

Stop an AKS Node Pool:

az aks nodepool stop --nodepool-name testnodepool --resource-group myResourceGroup --cluster-name myAKSCluster

Start an AKS Node Pool:

az aks nodepool start --nodepool-name testnodepool --resource-group myResourceGroup --cluster-name myAKSCluster

Maxime.