I have a subnet dedicated to private endpoints and I don’t have NSG associated with this subnet.
Microsoft Defender for Cloud shows that
"Subnets should be associated with a network security group" status is Not Applicable
for the above mentioned private endpoints subnet
2
Answers
You can create exemptions for rules on specific resources if there are reasons the rule should not apply to a given resource.
To create an exemtion for a recommendation open it’s details page. Then click exempt on the top toolbar. Select a scope, category and enter a name for the exemption and click create.
See the docs for details.
Microsoft Defender for Cloud is flagging "Subnets should be associated with a network security group status is Not Applicable" this issue may occur if you don’t have subnet associated with NSG as low severity.
As, Microsoft Defender is part of Azure Security Centre, If you do not assign NSG to a VM, By default all the ports in Azure VM’s are opened and exposed, thus it’s not a good security practice, when you have private endpoint enabled for a subnet but not an NSG.
To resolve this issue, check the below:
Usually while deploying services, it automatically associates with NSG. If not in your virtual network -> Subnet -> Add NSG like below
It will associate subnet with NSG, if you don’t have NSG try to create separate NSG and associate like below:
I agree with Roderick Bant If the security recommendations in Microsoft Defender for Cloud shows a scope which you feel it doesn’t belong and if it is inappropriate for a particular subscription then use Exempt.
If you have private endpoint enable for other services than VM you can exempt this policy
If still the issue occurs, make sure your network security group and virtual network security rules are set up correctly for your private endpoint subnet. Also check whether the association between your subnet and network security group is configured correctly.