How can I limit VNet management to a specific Active Directory group?

0
11
Asked By CloudySky99 On

I'm looking to restrict the creation, deletion, and modification of Virtual Networks (VNets) to a designated Active Directory group that consists of our cloud network engineers. This restriction needs to apply to both our current VNets and any new ones created in the future. What would be the best approach to implement this? It's worth noting that using Deny Assignments with Blueprints isn't a viable option for us as we don't currently use Blueprints for VNet management.

5 Answers

Answered By CloudGuru88 On

If your VNets are within a specific resource group, you can easily apply these settings there. Alternatively, for a broader scope, consider applying them at the subscription or management group level. This will give you flexibility based on your tenant's architecture.

Answered By SkyNetUtils On

Definitely use RBAC to determine who can manage the VNets, and combine it with Azure Policy to ensure they comply with your specified conditions. This setup will give you peace of mind handling the permissions.

Answered By NetworkSavvy23 On

One way to handle this is by adding your AD group as a Network Contributor using the IAM feature. Just keep in mind that this role also gives permissions related to private endpoints, which affects how they connect with VNets, so it's worth considering the implications.

Answered By NetworkNinja42 On

Applying RBAC to control who can create and modify VNets is a solid approach. Additionally, you can leverage Azure Policies to enforce the environment regulations for those who have access.

Answered By TechieTom1 On

You might want to look into using Role-Based Access Control (RBAC) for this. It’s pretty standard in Azure and can really help you manage who can do what with your VNets.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.