Phase 2 High-Side Public Network Access Audit¶
Created: 2026-04-25 Owner: Project maintainers Updated: 2026-04-25 (network-path review) Purpose: Document current high-side public network access posture, safe source-driven fixes, and Milestone 2 residual-risk decisions.
Executive Summary¶
High-side infrastructure defines public network posture for five services: ACR, Service Bus, Redis, Storage, and Key Vault. A disconnected high-side deployment should be deny-by-default unless an exception is operationally necessary and explicitly approved.
The original P0 remediation denied Redis public access and Key Vault default network access before proving a private network path. This review corrects that by adding source-driven private endpoints and private DNS zone groups for Redis and Key Vault before retaining those deny settings.
Current State Inventory¶
1. Azure Container Registry (ACR)¶
Location: infra/high-side/main.bicep ACR resource
Current setting: publicNetworkAccess: 'Enabled'
Risk level: Medium
M2 decision: Accepted M2 risk. Do not claim closure.
Reason: ACR Private Link/network rules require Premium SKU. The high-side default is currently acrSku: 'Basic', so changing ACR to a private endpoint/public-disabled posture is a cost and capability decision, not a safe surgical patch.
Follow-up: Upgrade high-side ACR to Premium, add an ACR private endpoint with the registry group ID, link privatelink.azurecr.io, disable public network access, and validate VM image pulls over the private endpoint.
2. Azure Service Bus (Medium risk)¶
Location: infra/high-side/main.bicep Service Bus namespace resource
Current setting: publicNetworkAccess: 'Enabled'; disableLocalAuth: false
M2 decision: Accepted M2 risk. Do not claim closure.
Reason: Service Bus private endpoints require Premium tier. Disabling local auth also requires application/runtime readiness for Microsoft Entra ID authentication and RBAC. The current high-side default is serviceBusSku: 'Standard', and there is no source-backed consumer migration in this patch.
Follow-up: Upgrade high-side Service Bus to Premium, add a namespace private endpoint and privatelink.servicebus.windows.net DNS zone group, migrate consumers to managed identity/RBAC, then set disableLocalAuth: true and disable public network access.
3. Azure Cache for Redis (High risk — P0 remediated in source)¶
Location: infra/high-side/main.bicep cache module and Redis private endpoint resources
Current setting: publicNetworkAccess: 'Disabled' with a private endpoint in the private-endpoints subnet and private DNS zone group linked to privatelink.redis.cache.windows.net.
Status: Source-driven network path implemented. Deployment evidence is still required.
4. Azure Storage Account (Low risk — subnet ACLs sufficient)¶
5. Azure Key Vault (High risk — P0 remediated in source)¶
Location: infra/high-side/main.bicep Key Vault module and Key Vault private endpoint resources
Current setting: networkDefaultAction: 'Deny' with a private endpoint in the private-endpoints subnet and private DNS zone group linked to privatelink.vaultcore.azure.net.
Status: Source-driven network path implemented. Deployment evidence is still required.
Recommended M2 Posture¶
| Service | Priority | M2 Target |
|---|---|---|
| Redis | P0 (Critical) | Disabled plus private endpoint/private DNS |
| Key Vault | P0 (Critical) | networkDefaultAction: Deny plus private endpoint/private DNS |
| ACR | P1 (Medium) | Accepted M2 risk; requires Premium private-link design |
| Service Bus | P1 (Medium) | Accepted M2 risk; requires Premium + managed identity/local-auth migration |
| Storage | P2 (Low) | Accept (subnet ACLs sufficient) |
Validation¶
az bicep build --file infra/high-side/main.bicep— success on 2026-04-25 after adding Redis and Key Vault private endpoints.az bicep build --file infra/_shared/cache.bicep— success on 2026-04-25 after adding the reusablecacheIdoutput.
Post-deployment evidence remains required to prove DNS resolution and runtime access from the high-side VM over the private endpoints.