Microsoft Defender for Cloud: "Subnets should be associated with a network security group" status is Not Applicable for a private endpoints subnet
I have a subnet dedicated to private endpoints and I don't have NSG associated with this subnet.
Microsoft Defender for Cloud shows that
"Subnets should be associated with a network security group" status is Not Applicable
for the above mentioned private endpoints subnet
Microsoft Defender for Cloud is flagging "Subnets should be associated with a network security group status is Not Applicable" this issue may occur if you don't have subnet associated with NSG as low severity.
As, Microsoft Defender is part of Azure Security Centre, If you do not assign NSG to a VM, By default all the ports in Azure VM's are opened and exposed, thus it's not a good security practice, when you have private endpoint enabled for a subnet but not an NSG.
To resolve this issue, check the below:
Usually while deploying services, it automatically associates with NSG. If not in your virtual network -> Subnet -> Add NSG like below
It will associate subnet with NSG, if you don't have NSG try to create separate NSG and associate like below:
I agree with Roderick Bant If the security recommendations in Microsoft Defender for Cloud shows a scope which you feel it doesn't belong and if it is inappropriate for a particular subscription then use Exempt.
If you have private endpoint enable for other services than VM you can exempt this policy
If still the issue occurs, make sure your network security group and virtual network security rules are set up correctly for your private endpoint subnet. Also check whether the association between your subnet and network security group is configured correctly.
- WebJob is stopping due to website shutting down
- Is it possible to change the day returned from startofweek() and endofweek()?
- Handling Audio blobs sent through mediarecorder in JS through python server script for azure service
- Export app registrations with expiring secrets and certificates and send alert in teams
- SQL Azure import slow, hangs, but local import takes 3 minutes
- Issue with Group email address domain when create a new Microsoft 365 Group
- What is the URL for New Page in Azure DevOps Wiki? / How to bookmark New Page?
- Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault
- How do I configure my Bicep scripts to allow a container app to pull an image from an ACR using managed identity across subscriptions
- Azure DevOps. Can't trigger a pipeline in Repo A when a commit is done in repo B
- How to change the default Azure AI Search scoring to be increased when the whole search term is found exactly?
- List and download files in a folder in a blob with blob level SAS token
- How to change the Lease state of Azure Blob to Available
- unable to delete or move first step from logic app?
- Azure Terraform - Encrypt VM OS Disk
- How to temporary stop Azure API Management Service
- Unable to retrieve key vault certificates in azure runbook
- C#: 'A change set cannot include changes to more than '1' source resources' when adding a user To Group using Azure Graph API 2.0
- Set size limt to direct upload to azure blob storage via SAS URL
- Using AddAzureKeyVault makes my application 10 seconds slower
- PostGreSQL pg_dump psql and pg_restore errors with Azure Flexible SQL Server
- How to check signature of a token coming from Azure SSO
- How can I get error details from an if condition activity in Azure Data Factory?
- Getting a 404 for GET /robots933456.txt
- Given an Applications Insight Instrumentation key, get the name of the service in Azure
- How to specify rewrite url for query string parameters in Azure API Management
- Can a normal Azure Function and a Durable Azure Function coexist in the same Function App?
- TenantGuidNotFound when trying to send email using Microsfot GraphAPI
- Can't signin into microsoft account
- Azure Function App Kudu Functions API with empty response