We have implemented CIS policies in our Azure subscriptions. Our installation of CVO is showing a few items we are not compliant with. Trying to get some guidance on what will happen if we do set the settings, so they are compliant.
I found Doc on setting up Customer managed Keys but cant find information on the other settings.
Detailing impacts of two policies with example impacts below:
Ensure that only secure transfer is enabled:
Example impact:
If you have set ONTAP (Azure CVO HA with page blobs for root and data) or any communication from CVO to page blobs ( for tiering /backup ) over HTTP and not HTTPs, and if you set this policy on say Storage Account (Azure resource that connects to Blobs) it fails.
Also if you deploy a new CVO it may fail as it creates Storage Accounts currently without this option enabled and it interferes if this policy is enabled. So CVO deployment may fail or quick manual intervention before retry may be needed.
Ensure Default network access for Storage Accounts is set to Deny:
Blue XP deployed default on Storage Accounts (Data, Boot diagnostics) have access to specific VNET (attached image).
Deny policy may disallow communication. (Denied option in image)
Or event deployment of Storage accounts may fail.
Approved extensions - have not seen many example cases.
It is advisable to test with freemium CVO (CVO Azure HA with page blobs for root and data disks < 9.13.x) - replica of production system in a test subscription with tiering , cloud backup etc and applying the policies above as test and testing access to data and tiering, cloud backup (profiler tests) if needed.
Kindly open a support ticket if assistance needed with new test Azure subscription and policy enforcement.
