DEV Community: david The latest articles on DEV Community by david (@dwoitzik). https://dev.to/dwoitzik https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3933869%2F1fb8aa5b-2239-46a7-bf78-b5352809883c.png DEV Community: david https://dev.to/dwoitzik en NIS2 Article 21 in Azure: Implementing Network Security Controls with Terraform david Thu, 21 May 2026 22:00:00 +0000 https://dev.to/dwoitzik/nis2-article-21-in-azure-implementing-network-security-controls-with-terraform-3idl https://dev.to/dwoitzik/nis2-article-21-in-azure-implementing-network-security-controls-with-terraform-3idl <p>NIS2 Article 21 in Azure: Implementing Network Security Controls with Terraform</p> <p>Tags: terraform, azure, security, devops</p> <p>Canonical URL: <a href="https://woitzik.dev/blog/nis2-article-21-azure-terraform" rel="noopener noreferrer">https://woitzik.dev/blog/nis2-article-21-azure-terraform</a></p> <p>Most NIS2 content is written by lawyers for lawyers. This article maps Article 21 network security requirements to concrete Azure resources — with Terraform code, not legal theory.</p> <blockquote> <p><strong>Disclaimer:</strong> This covers technical network infrastructure controls relevant to NIS2 Article 21. Full compliance requires organizational measures beyond infrastructure code. Nothing here constitutes legal advice.</p> </blockquote> <h2> What NIS2 Article 21 Actually Requires (For Engineers) </h2> <p>Four concrete network security areas:</p> <ol> <li> <strong>Network Segmentation</strong> — isolate systems by criticality</li> <li> <strong>Access Control</strong> — Default-Deny at network and identity layer</li> <li> <strong>Minimize Attack Surface</strong> — eliminate unnecessary public endpoints</li> <li> <strong>Auditability</strong> — traceable, version-controlled infrastructure changes</li> </ol> <p>Here's how each maps to Azure Terraform resources.</p> <h2> Control 1: Network Segmentation via Hub &amp; Spoke </h2> <p>Spoke-to-Spoke traffic blocked by default — all cross-workload communication routes through the Hub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_virtual_network_peering"</span> <span class="s2">"hub_to_spoke1"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"peer-hub-to-spoke1"</span> <span class="nx">virtual_network_name</span> <span class="p">=</span> <span class="nx">azurerm_virtual_network</span><span class="p">.</span><span class="nx">hub</span><span class="p">.</span><span class="nx">name</span> <span class="nx">remote_virtual_network_id</span> <span class="p">=</span> <span class="nx">azurerm_virtual_network</span><span class="p">.</span><span class="nx">spoke1</span><span class="p">.</span><span class="nx">id</span> <span class="nx">allow_forwarded_traffic</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Spokes only peer with the Hub — never with each other. Cross-Spoke traffic must be explicitly routed through the Firewall.</p> <h2> Control 2: Default-Deny NSG Baseline </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">security_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Allow-VNet-Inbound"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">access</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">source_address_prefix</span> <span class="p">=</span> <span class="s2">"VirtualNetwork"</span> <span class="nx">destination_address_prefix</span> <span class="p">=</span> <span class="s2">"VirtualNetwork"</span> <span class="p">}</span> <span class="nx">security_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Deny-Internet-Inbound"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4096</span> <span class="nx">access</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">source_address_prefix</span> <span class="p">=</span> <span class="s2">"Internet"</span> <span class="nx">destination_address_prefix</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> </code></pre> </div> <p>Priority gap (100 → 4096) leaves room for application rules without restructuring the baseline.</p> <h2> Control 3: Egress Control via Forced Tunneling </h2> <p>All outbound Spoke traffic through Azure Firewall — logged, inspectable, FQDN-controlled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">route</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"route-to-firewall"</span> <span class="nx">address_prefix</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">next_hop_type</span> <span class="p">=</span> <span class="s2">"VirtualAppliance"</span> <span class="nx">next_hop_in_ip_address</span> <span class="p">=</span> <span class="nx">azurerm_firewall</span><span class="p">.</span><span class="nx">fw</span><span class="p">.</span><span class="nx">ip_configuration</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">private_ip_address</span> <span class="p">}</span> <span class="c1"># Critical — without these, Windows VMs lose activation</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bypass-azure-kms"</span> <span class="nx">address_prefix</span> <span class="p">=</span> <span class="s2">"23.102.135.246/32"</span> <span class="nx">next_hop_type</span> <span class="p">=</span> <span class="s2">"Internet"</span> <span class="p">}</span> </code></pre> </div> <p>The Firewall log is your audit trail for NIS2 Article 21(2)(b) — monitoring and incident detection.</p> <h2> Control 4: Zero Public PaaS Endpoints </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_key_vault"</span> <span class="s2">"kv"</span> <span class="p">{</span> <span class="nx">public_network_access_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">network_acls</span> <span class="p">{</span> <span class="nx">default_action</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">bypass</span> <span class="p">=</span> <span class="s2">"AzureServices"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>An external scanner gets no TCP connection — the endpoint doesn't resolve to a public IP. Directly satisfies NIS2 Article 21(2)(h).</p> <h2> Control 5: No Static Credentials </h2> <p>Managed Identity + scoped RBAC — no connection strings, no access keys:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"app_kv_secrets"</span> <span class="p">{</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">kv</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Key Vault Secrets User"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azurerm_linux_function_app</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">principal_id</span> <span class="p">}</span> </code></pre> </div> <p>When the resource is deleted, identity and permissions are automatically destroyed.</p> <h2> Control 6: Auditability via IaC </h2> <p>Every change is a Git commit. <code>terraform plan</code> is an audit artifact. No ClickOps, no undocumented Portal changes.</p> <h2> What This Covers — and What It Doesn't </h2> <p>This addresses technical network controls only. Full NIS2 compliance also requires incident response procedures, supply chain risk management, business continuity measures, and organizational governance.</p> <p>Infrastructure code is the foundation. Compliance is the full building.</p> <p>Full article with complete code for all six controls on my blog.</p> <p>👉 <a href="https://woitzik.dev/blog/nis2-article-21-azure-terraform" rel="noopener noreferrer">Full article on woitzik.dev</a></p> terraform azure security devops Zero-Trust RAG: Defeating the Shared Private Link Deadlock in Azure Terraform david Wed, 20 May 2026 22:00:00 +0000 https://dev.to/dwoitzik/zero-trust-rag-defeating-the-shared-private-link-deadlock-in-azure-terraform-kdb https://dev.to/dwoitzik/zero-trust-rag-defeating-the-shared-private-link-deadlock-in-azure-terraform-kdb <p>Your Terraform pipeline is green. The deployment completes without errors. You grab a coffee.</p> <p>Ten minutes later, you test your new Enterprise RAG application. It throws a <code>403 Forbidden</code>. You open the Azure Portal, check the OpenAI Networking tab, and there it is: your Shared Private Link from AI Search is sitting in <strong>Pending</strong>.</p> <p>Nobody told Terraform to approve it. Nobody told you it even needed approving.</p> <p>This is the CI/CD killer of Azure AI infrastructure.</p> <h2> Why It Happens </h2> <p>AI Search must call OpenAI to vectorize data. The <code>azurerm</code> provider can successfully <em>request</em> this Shared Private Link — but it cannot <em>approve</em> its own request. The target resource (OpenAI) must explicitly accept the inbound connection. The standard provider has no method for this. Pipeline deadlocked. Someone has to click "Approve" in the Portal manually. ClickOps in 2026.</p> <h2> The AzAPI State Machine Fix </h2> <p>We bypass the <code>azurerm</code> provider entirely and talk directly to the Azure Resource Manager REST API using the <code>azapi</code> provider.</p> <p>Because Azure generates a random GUID for the incoming connection, we can't hardcode the ID — we read it at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"azapi_resource_list"</span> <span class="s2">"pe_connections"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.CognitiveServices/accounts/privateEndpointConnections@2023-05-01"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_cognitive_account</span><span class="p">.</span><span class="nx">openai</span><span class="p">.</span><span class="nx">id</span> <span class="nx">response_export_values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"value"</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">azurerm_search_shared_private_link_service</span><span class="p">.</span><span class="nx">openai_link</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The <code>depends_on</code> is critical — without it, Terraform queries the connection list before the link is even requested, returns empty, and the approval silently fails.</p> <p>Then we filter for the Pending connection and approve it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azapi_update_resource"</span> <span class="s2">"approve_shared_link"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.CognitiveServices/accounts/privateEndpointConnections@2023-05-01"</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">conn</span> <span class="nx">in</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">azapi_resource_list</span><span class="p">.</span><span class="nx">pe_connections</span><span class="p">.</span><span class="nx">output</span><span class="p">).</span><span class="nx">value</span> <span class="err">:</span> <span class="nx">conn</span><span class="p">.</span><span class="nx">id</span> <span class="nx">if</span> <span class="nx">conn</span><span class="p">.</span><span class="nx">properties</span><span class="p">.</span><span class="nx">privateLinkServiceConnectionState</span><span class="p">.</span><span class="nx">status</span> <span class="err">==</span> <span class="s2">"Pending"</span> <span class="p">][</span><span class="mi">0</span><span class="p">],</span> <span class="s2">""</span> <span class="p">)</span> <span class="nx">body</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">privateLinkServiceConnectionState</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Approved"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Approved via Terraform AzAPI Pipeline"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The <code>try()</code> wrapper is not optional. On <code>terraform destroy</code>, the Shared Private Link is deleted before this resource is evaluated. Without <code>try()</code>, indexing <code>[0]</code> on an empty array crashes the destroy run and leaves orphaned resources in Azure.</p> <p>After <code>terraform apply</code>, the link goes from Pending to Approved in under 30 seconds. No Portal access required.</p> <h2> Identity Chaining — Kill the API Keys </h2> <p>Auto-approving the link lets AI Search reach OpenAI. But static API keys will fail your compliance audit. Keys leak. Keys get committed to Git.</p> <p>Disable local auth and use a System Managed Identity instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_search_service"</span> <span class="s2">"search"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">search_service_name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="s2">"standard"</span> <span class="nx">public_network_access_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">local_authentication_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"search_to_openai"</span> <span class="p">{</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_cognitive_account</span><span class="p">.</span><span class="nx">openai</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Cognitive Services OpenAI User"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azurerm_search_service</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">principal_id</span> <span class="p">}</span> </code></pre> </div> <p>Zero credential management. When the AI Search instance is deleted, its identity and permissions are destroyed automatically.</p> <h2> Don't Forget Private DNS </h2> <p>If <code>your-instance.openai.azure.com</code> still resolves to a public IP, the Azure Firewall drops the traffic and you get another opaque <code>403</code>. Both services need their DNS zones linked to the VNet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_private_dns_zone"</span> <span class="s2">"openai_dns"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"privatelink.openai.azure.com"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_private_dns_zone_virtual_network_link"</span> <span class="s2">"openai_vnet_link"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"link-openai-vnet"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">private_dns_zone_name</span> <span class="p">=</span> <span class="nx">azurerm_private_dns_zone</span><span class="p">.</span><span class="nx">openai_dns</span><span class="p">.</span><span class="nx">name</span> <span class="nx">virtual_network_id</span> <span class="p">=</span> <span class="nx">azurerm_virtual_network</span><span class="p">.</span><span class="nx">vnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">registration_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p><code>registration_enabled = false</code> — always. Automatic registration conflicts with centralized Hub &amp; Spoke DNS management.</p> <p>The free baseline (AzAPI auto-approval + basic networking) is on GitHub. The full article with complete VNet injection, Private DNS automation, and RBAC Identity Chaining is on my blog.</p> <p>👉 <a href="https://woitzik.dev/blog/azure-rag-shared-private-link-automation" rel="noopener noreferrer">Full article on woitzik.dev</a><br> 👉 <a href="https://github.com/dwoitzik/azure-openai-rag-network" rel="noopener noreferrer">Free GitHub repo</a></p> terraform azure ai devops Surviving Azure Policies: Zero-Trust Hub & Spoke with Terraform david Mon, 18 May 2026 22:00:00 +0000 https://dev.to/dwoitzik/surviving-azure-policies-zero-trust-hub-spoke-with-terraform-2b6l https://dev.to/dwoitzik/surviving-azure-policies-zero-trust-hub-spoke-with-terraform-2b6l <p>Your Terraform pipeline is green. The deployment completes. You grab a coffee.</p> <p>Ten minutes later, Azure Policy has silently rewritten three of your resources. You run <code>terraform plan</code>. It detects drift. It tries to revert. Policy blocks the revert with a cryptic permission error. Your pipeline is now permanently broken — and nobody touched the code.</p> <p>This is Tuesday in an enterprise Azure tenant.</p> <h2> The DINE Death Loop </h2> <p><code>DeployIfNotExists</code> policies run continuously in the background. They inject tags like <code>CreatedByPolicy=True</code> or <code>hidden-title</code> into your resources for compliance tracking.</p> <p>Terraform sees these injected tags as drift. It plans to delete them. Azure Policy blocks the deletion. Your pipeline fails. This repeats on every run. Forever.</p> <p>The fix is surgical — tell Terraform to ignore exactly these tags and nothing else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_private_dns_zone"</span> <span class="s2">"enterprise_zones"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">private_dns_zones</span><span class="p">)</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">tags</span><span class="p">[</span><span class="s2">"hidden-title"</span><span class="p">],</span> <span class="nx">tags</span><span class="p">[</span><span class="s2">"CreatedByPolicy"</span><span class="p">]</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Terraform now maintains the infrastructure. The compliance scanner gets its metadata. Nobody fights. No pipeline failures.</p> <h2> Zero-Trust NSG Baseline </h2> <p>A default Azure VNet allows unrestricted lateral movement and outbound internet access. For any ISO 27001 or KRITIS audit, this is an immediate finding.</p> <p>The fix: an NSG bound to Spoke subnets at creation — not as a follow-up ticket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_network_security_group"</span> <span class="s2">"zero_trust"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nsg-zero-trust-${var.environment}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">security_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Allow-VNet-Inbound"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"Inbound"</span> <span class="nx">access</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">source_address_prefix</span> <span class="p">=</span> <span class="s2">"VirtualNetwork"</span> <span class="nx">destination_address_prefix</span> <span class="p">=</span> <span class="s2">"VirtualNetwork"</span> <span class="nx">source_port_range</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">destination_port_range</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="nx">security_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Deny-Internet-Inbound"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4096</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"Inbound"</span> <span class="nx">access</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">source_address_prefix</span> <span class="p">=</span> <span class="s2">"Internet"</span> <span class="nx">destination_address_prefix</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">source_port_range</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">destination_port_range</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Critical: bind it immediately — an unbound NSG enforces nothing</span> <span class="nx">resource</span> <span class="s2">"azurerm_subnet_network_security_group_association"</span> <span class="s2">"spoke1_nsg"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">azurerm_subnet</span><span class="p">.</span><span class="nx">spoke1_default</span><span class="p">.</span><span class="nx">id</span> <span class="nx">network_security_group_id</span> <span class="p">=</span> <span class="nx">azurerm_network_security_group</span><span class="p">.</span><span class="nx">zero_trust</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>The priority gap (100 → 4096) leaves room for hundreds of application-specific rules without renumbering the baseline.</p> <h2> Centralized Private DNS </h2> <p>Deploy DNS zones once in the Hub — Spokes resolve through peering automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"private_dns_zones"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"privatelink.blob.core.windows.net"</span><span class="p">,</span> <span class="s2">"privatelink.database.windows.net"</span><span class="p">,</span> <span class="s2">"privatelink.vaultcore.azure.net"</span><span class="p">,</span> <span class="s2">"privatelink.azurecr.io"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_private_dns_zone"</span> <span class="s2">"enterprise_zones"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">private_dns_zones</span><span class="p">)</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">tags</span><span class="p">[</span><span class="s2">"hidden-title"</span><span class="p">],</span> <span class="nx">tags</span><span class="p">[</span><span class="s2">"CreatedByPolicy"</span><span class="p">]]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Four zones, one block, DINE-proof. No per-Spoke DNS configuration required.</p> <p>The free base topology is on GitHub. The full article with complete DINE bypass logic, NSG associations, and VNet link protection is on my blog.</p> <p>👉 <a href="https://woitzik.dev/blog/azure-terraform-hub-spoke-zero-trust" rel="noopener noreferrer">Full article on woitzik.dev</a><br> 👉 <a href="https://github.com/dwoitzik/azure-network-hub-spoke" rel="noopener noreferrer">Free GitHub repo</a></p> terraform azure devops security Hardening Azure Acmebot for ISO 27001 & NIS2 Compliance with Terraform david Sat, 16 May 2026 22:00:00 +0000 https://dev.to/dwoitzik/hardening-azure-acmebot-for-iso-27001-nis2-compliance-with-terraform-438e https://dev.to/dwoitzik/hardening-azure-acmebot-for-iso-27001-nis2-compliance-with-terraform-438e <p>Automating SSL/TLS certificates with Let's Encrypt and Azure Key Vault is a solved problem. Tools like <a href="https://github.com/shibayan/keyvault-acmebot" rel="noopener noreferrer">Azure Acmebot</a> make deployment incredibly simple.</p> <p>In corporate environments targeting ISO 27001, KRITIS, or NIS2 compliance, "simple" is rarely sufficient. The standard Acmebot deployment relies on public endpoints — and a Storage Account or Key Vault reachable from the public internet will immediately trigger findings during a security audit.</p> <p>Here's how to transition from a standard deployment to a fully network-isolated, Zero-Trust architecture — entirely managed with Terraform.</p> <h2> The Compliance Gap </h2> <p>Three components expose a public attack surface out of the box:</p> <ol> <li> <strong>Storage Account</strong> — accepts traffic from all networks by default</li> <li> <strong>Key Vault</strong> — operates with a public endpoint unless explicitly restricted</li> <li> <strong>Function App</strong> — the Acmebot dashboard is publicly reachable with no network-layer restriction</li> </ol> <p>Target principle: <strong>Default-Deny at the network layer, not just the identity layer.</strong></p> <h2> Step 1: VNet Integration </h2> <p>The Function App needs a dedicated subnet with a delegation to <code>Microsoft.Web/serverFarms</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_subnet"</span> <span class="s2">"acmebot_integration"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"snet-acmebot-integration"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">existing_vnet_rg</span> <span class="nx">virtual_network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">existing_vnet_name</span> <span class="nx">address_prefixes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/27"</span><span class="p">]</span> <span class="nx">delegation</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"delegation-acmebot"</span> <span class="nx">service_delegation</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Microsoft.Web/serverFarms"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Microsoft.Network/virtualNetworks/subnets/join/action"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Two settings that will cost you hours if you miss them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">site_config</span> <span class="p">{</span> <span class="nx">vnet_route_all_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Forces ALL outbound through VNet</span> <span class="p">}</span> <span class="nx">app_settings</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"WEBSITE_DNS_SERVER"</span> <span class="p">=</span> <span class="s2">"168.63.129.16"</span> <span class="c1"># Azure internal DNS — required</span> <span class="s2">"WEBSITE_CONTENTOVERVNET"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> </code></pre> </div> <p>Without <code>vnet_route_all_enabled = true</code>, the Function still tries to reach Storage over the public internet and fails silently once you lock it down.</p> <h2> Step 2: Private Endpoints &amp; DNS </h2> <p>The Storage Account requires <strong>four</strong> separate Private Endpoints — one each for <code>blob</code>, <code>table</code>, <code>queue</code>, and <code>file</code>. Azure Functions uses all four internally. Skip any one and the Function App deploys successfully but fails at runtime with cryptic storage errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_private_endpoint"</span> <span class="s2">"storage_pe"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span><span class="s2">"blob"</span><span class="p">,</span> <span class="s2">"table"</span><span class="p">,</span> <span class="s2">"queue"</span><span class="p">,</span> <span class="s2">"file"</span><span class="p">])</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"pe-acmebot-st-${each.key}"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">azurerm_subnet</span><span class="p">.</span><span class="nx">acmebot_endpoints</span><span class="p">.</span><span class="nx">id</span> <span class="nx">private_service_connection</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"psc-acmebot-st-${each.key}"</span> <span class="nx">private_connection_resource_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">acmebot_storage</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subresource_names</span> <span class="p">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">]</span> <span class="nx">is_manual_connection</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">private_dns_zone_group</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">private_dns_zone_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">private_dns_zone_ids</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">]]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Default-Deny Firewall Rules </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"acmebot_storage"</span> <span class="p">{</span> <span class="nx">public_network_access_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">allow_nested_items_to_be_public</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">network_rules</span> <span class="p">{</span> <span class="nx">default_action</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">bypass</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AzureServices"</span><span class="p">]</span> <span class="nx">virtual_network_subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">azurerm_subnet</span><span class="p">.</span><span class="nx">acmebot_integration</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>bypass = "AzureServices"</code> is required — it allows Azure's internal control plane operations to continue working. Without it, diagnostic log shipping and other platform features silently break.</p> <p>After applying this configuration, your Acmebot deployment meets the network isolation requirements of ISO 27001 Annex A.8, NIS2 Article 21, and KRITIS baseline controls.</p> <p>The complete tested architecture including Entra ID automation and full Private Link configuration is on my blog and GitHub.</p> <p>👉 <a href="https://woitzik.dev/blog/hardening-azure-acmebot-iso27001" rel="noopener noreferrer">Full article on woitzik.dev</a><br> 👉 <a href="https://github.com/dwoitzik/azure-acme-cert-automation" rel="noopener noreferrer">Free GitHub repo</a></p> terraform azure security devops Breaking the Loop: Solving Circular Dependencies in Azure Firewall Routing with Terraform david Fri, 15 May 2026 20:39:45 +0000 https://dev.to/dwoitzik/breaking-the-loop-solving-circular-dependencies-in-azure-firewall-routing-with-terraform-2dbe https://dev.to/dwoitzik/breaking-the-loop-solving-circular-dependencies-in-azure-firewall-routing-with-terraform-2dbe <p>You add a Route Table to force all internet-bound traffic (<code>0.0.0.0/0</code>) from your Spoke VNets into an Azure Firewall. You run <code>terraform plan</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Cycle: azurerm_subnet_route_table_association.spoke_binding, azurerm_route_table.spoke_udr, azurerm_firewall.fw ... </code></pre> </div> <p>Terraform has deadlocked. And even if you fix the cycle — a plain <code>0.0.0.0/0</code> route will silently break Windows VM activation and Managed Identity authentication three days later.</p> <p>Here's why both happen and how to fix them cleanly.</p> <h2> The Cycle Error </h2> <p>Terraform can't resolve the dependency graph:</p> <ul> <li>The Route Table needs the Firewall's <code>private_ip_address</code> </li> <li>The Firewall needs <code>AzureFirewallSubnet</code> to exist first</li> <li>The Subnet Association tries to bind everything simultaneously</li> </ul> <p><strong>The fix:</strong> directly reference <code>azurerm_firewall.fw.ip_configuration[0].private_ip_address</code> in the Route Table. Terraform can now unambiguously resolve the order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Firewall → (has IP) → Route Table → Subnet Association </code></pre> </div> <p>No workarounds. Just correct resource ordering.</p> <h2> The PaaS Trap </h2> <p>Once the cycle is fixed, most engineers celebrate and move on. Three days later:</p> <ul> <li> <strong>Windows VMs lose activation</strong> — Azure KMS traffic is trapped by <code>0.0.0.0/0</code> </li> <li> <strong>Managed Identities stop authenticating</strong> — Azure AD traffic hits the unconfigured firewall</li> </ul> <p>The fix is two explicit bypass routes that must exist <em>before</em> the Route Table is attached to any subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># KMS Bypass — required for Windows VM activation</span> <span class="c1"># 23.102.135.246/32 is Azure's global KMS endpoint (officially documented)</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bypass-azure-kms"</span> <span class="nx">address_prefix</span> <span class="p">=</span> <span class="s2">"23.102.135.246/32"</span> <span class="nx">next_hop_type</span> <span class="p">=</span> <span class="s2">"Internet"</span> <span class="p">}</span> <span class="c1"># Azure AD Bypass — prevents Managed Identity auth lockouts</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bypass-azure-ad"</span> <span class="nx">address_prefix</span> <span class="p">=</span> <span class="s2">"AzureActiveDirectory"</span> <span class="nx">next_hop_type</span> <span class="p">=</span> <span class="s2">"Internet"</span> <span class="p">}</span> </code></pre> </div> <p>Note: <code>next_hop_type = "Internet"</code> for Azure-owned IP ranges routes traffic over Azure's internal backbone — it never leaves Microsoft's network.</p> <h2> Scaling to Multiple Spokes </h2> <p>Instead of duplicating the association resource for every Spoke, use <code>for_each</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_subnet_route_table_association"</span> <span class="s2">"spoke_routing"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">spoke_subnet_ids</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">azurerm_route_table</span><span class="p">.</span><span class="nx">spoke_udr</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Add a new Spoke to the variable map, run <code>terraform apply</code> — done.</p> <p>The free baseline (cycle fix + route table structure) is on GitHub. The full article with complete code, IP Group scaling, and FQDN baseline policies is on my blog.</p> <p>👉 <a href="https://woitzik.dev/blog/azure-firewall-cycle-error" rel="noopener noreferrer">Full article on woitzik.dev</a><br><br> 👉 <a href="https://github.com/dwoitzik/azure-firewall-forced-tunneling" rel="noopener noreferrer">Free GitHub repo</a></p> terraform azure devops security