Skip to content

configure default_outbound_access_enabled property for upcoming azure changes in March 2026 #4757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JC-wk wants to merge 31 commits into
base: main
Choose a base branch
from
Open

configure default_outbound_access_enabled property for upcoming azure changes in March 2026 #4757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
ebbf3e1
base workspace subnets
JC-wk Nov 14, 2025
b6026c5
update changelog
JC-wk Nov 14, 2025
7bc9a09
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Nov 21, 2025
068d136
WIP need to check if some should be true/false
JC-wk Nov 21, 2025
4a28106
TODO Check and confirm true/false values
JC-wk Nov 21, 2025
c4b35a1
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Nov 24, 2025
309a8cc
set all default_outbound_access_enabled to false
JC-wk Nov 24, 2025
8403651
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Dec 24, 2025
11106d3
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Jan 9, 2026
a68e84a
bump version
Jan 9, 2026
1ae50ea
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Jan 23, 2026
cf0805b
Merge remote-tracking branch 'upstream/main' into disable-default-out…
Feb 2, 2026
b26822d
azureml default_outbound_access_enabled = false
Feb 2, 2026
103585f
changelog
Feb 2, 2026
4448e3b
ohdsi ver
Feb 2, 2026
328fa16
update ws version
Feb 2, 2026
b61c1a6
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Feb 2, 2026
3361124
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Feb 2, 2026
6dea79c
Fix Lint (add terraform lock file)
Feb 3, 2026
56c229d
remove extra lock file
Feb 3, 2026
1172f9c
Merge branch 'main' into disable-default-outbound-access-on-subnets
JC-wk Feb 3, 2026
0c45735
attempt fix for pipeline error
Feb 3, 2026
4896aa5
update terraform_azurerm_environment_configuration
Feb 3, 2026
7a5a6ed
Merge branch 'main' into disable-default-outbound-access-on-subnets
marrobi Feb 6, 2026
6dfe022
revert accidental change
Feb 6, 2026
fb3fa3f
remove accidental commit
Feb 6, 2026
393e5eb
update changelog
Feb 6, 2026
3307729
core version
Feb 6, 2026
b57cdab
fix lint
Feb 6, 2026
29af035
Merge branch 'main' into disable-default-outbound-access-on-subnets
marrobi Feb 11, 2026
ea12654
revert version change
Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/linters/.tflint_workspaces.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ config {

plugin "azurerm" {
enabled = true
version = "0.30.0"
source = "github.com/terraform-linters/tflint-ruleset-azurerm"
}

rule "azurerm_resource_missing_tags" {
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
* Sonatype Nexus shared service now requires explicit EULA acceptance (`accept_nexus_eula: true`) when deploying. This ensures compliance with Sonatype Nexus Community Edition licensing. ([#4842](https://github.com/microsoft/AzureTRE/issues/4842))

ENHANCEMENTS:
* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757))
* Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856))
* Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863))
* Pass OIDC vars directly to the devcontainer ([#4871](https://github.com/microsoft/AzureTRE/issues/4871))
Expand Down
28 changes: 19 additions & 9 deletions core/terraform/network/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,17 @@ resource "azurerm_virtual_network" "core" {
lifecycle { ignore_changes = [tags] }

subnet {
name = "AzureBastionSubnet"
address_prefixes = [local.bastion_subnet_address_prefix]
security_group = azurerm_network_security_group.bastion.id
name = "AzureBastionSubnet"
address_prefixes = [local.bastion_subnet_address_prefix]
security_group = azurerm_network_security_group.bastion.id
default_outbound_access_enabled = false
}

subnet {
name = "AzureFirewallSubnet"
address_prefixes = [local.firewall_subnet_address_space]
route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null
name = "AzureFirewallSubnet"
address_prefixes = [local.firewall_subnet_address_space]
route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null
default_outbound_access_enabled = false
}

subnet {
Expand All @@ -24,6 +26,7 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
security_group = azurerm_network_security_group.app_gw.id
default_outbound_access_enabled = false
}

subnet {
Expand All @@ -33,6 +36,7 @@ resource "azurerm_virtual_network" "core" {
private_link_service_network_policies_enabled = true
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false

delegation {
name = "delegation"
Expand All @@ -50,6 +54,7 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false
}

subnet {
Expand All @@ -58,6 +63,7 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false
}

subnet {
Expand All @@ -66,6 +72,7 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false

delegation {
name = "delegation"
Expand All @@ -84,7 +91,7 @@ resource "azurerm_virtual_network" "core" {
address_prefixes = [local.airlock_notifications_subnet_address_prefix]
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id

default_outbound_access_enabled = false
delegation {
name = "delegation"

Expand All @@ -102,6 +109,7 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false
}

subnet {
Expand All @@ -110,13 +118,15 @@ resource "azurerm_virtual_network" "core" {
private_endpoint_network_policies = "Disabled"
security_group = azurerm_network_security_group.default_rules.id
route_table_id = azurerm_route_table.rt.id
default_outbound_access_enabled = false

service_endpoints = ["Microsoft.ServiceBus"]
}

subnet {
name = "AzureFirewallManagementSubnet"
address_prefixes = [local.firewall_management_subnet_address_prefix]
name = "AzureFirewallManagementSubnet"
address_prefixes = [local.firewall_management_subnet_address_prefix]
default_outbound_access_enabled = false
}
}

Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/databricks-auth/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-shared-service-databricks-private-auth
version: 0.1.13
version: 0.1.14
description: "An Azure TRE shared service for Azure Databricks authentication."
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
18 changes: 10 additions & 8 deletions templates/shared_services/databricks-auth/terraform/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ resource "azurerm_virtual_network" "ws" {
}

resource "azurerm_subnet" "host" {
name = local.host_subnet_name
resource_group_name = local.resource_group_name
virtual_network_name = azurerm_virtual_network.ws.name
address_prefixes = [local.host_subnet_address_space]
name = local.host_subnet_name
resource_group_name = local.resource_group_name
virtual_network_name = azurerm_virtual_network.ws.name
address_prefixes = [local.host_subnet_address_space]
default_outbound_access_enabled = false

delegation {
name = "db-host-vnet-integration"
Expand All @@ -29,10 +30,11 @@ resource "azurerm_subnet" "host" {
}

resource "azurerm_subnet" "container" {
name = local.container_subnet_name
resource_group_name = local.resource_group_name
virtual_network_name = azurerm_virtual_network.ws.name
address_prefixes = [local.container_subnet_address_space]
name = local.container_subnet_name
resource_group_name = local.resource_group_name
virtual_network_name = azurerm_virtual_network.ws.name
address_prefixes = [local.container_subnet_address_space]
default_outbound_access_enabled = false

delegation {
name = "db-container-vnet-integration"
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/azureml/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-service-azureml
version: 1.1.2
version: 1.1.3
description: "An Azure TRE service for Azure Machine Learning"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
9 changes: 5 additions & 4 deletions templates/workspace_services/azureml/terraform/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,11 @@ resource "azapi_resource" "aml_service_endpoint_policy" {
}

resource "azurerm_subnet" "aml" {
name = "AMLSubnet${local.short_service_id}"
virtual_network_name = data.azurerm_virtual_network.ws.name
resource_group_name = data.azurerm_virtual_network.ws.resource_group_name
address_prefixes = [var.address_space]
name = "AMLSubnet${local.short_service_id}"
virtual_network_name = data.azurerm_virtual_network.ws.name
resource_group_name = data.azurerm_virtual_network.ws.resource_group_name
address_prefixes = [var.address_space]
default_outbound_access_enabled = false

# need to be disabled for AML private compute
private_endpoint_network_policies = "Disabled"
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/databricks/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-service-databricks
version: 1.0.14
version: 1.0.15
description: "An Azure TRE service for Azure Databricks."
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
18 changes: 10 additions & 8 deletions templates/workspace_services/databricks/terraform/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,11 @@ resource "azurerm_network_security_group" "nsg" {
}

resource "azurerm_subnet" "host" {
name = local.host_subnet_name
resource_group_name = data.azurerm_resource_group.ws.name
virtual_network_name = data.azurerm_virtual_network.ws.name
address_prefixes = [local.host_subnet_address_space]
name = local.host_subnet_name
resource_group_name = data.azurerm_resource_group.ws.name
virtual_network_name = data.azurerm_virtual_network.ws.name
address_prefixes = [local.host_subnet_address_space]
default_outbound_access_enabled = false

delegation {
name = "db-host-vnet-integration"
Expand All @@ -108,10 +109,11 @@ resource "azurerm_subnet" "host" {
}

resource "azurerm_subnet" "container" {
name = local.container_subnet_name
resource_group_name = data.azurerm_resource_group.ws.name
virtual_network_name = data.azurerm_virtual_network.ws.name
address_prefixes = [local.container_subnet_address_space]
name = local.container_subnet_name
resource_group_name = data.azurerm_resource_group.ws.name
virtual_network_name = data.azurerm_virtual_network.ws.name
address_prefixes = [local.container_subnet_address_space]
default_outbound_access_enabled = false

delegation {
name = "db-container-vnet-integration"
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/ohdsi/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-workspace-service-ohdsi
version: 0.3.5
version: 0.3.6
description: "An OHDSI workspace service"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
9 changes: 5 additions & 4 deletions templates/workspace_services/ohdsi/terraform/atlas_database.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,11 @@ resource "azurerm_network_security_group" "postgres" {
}

resource "azurerm_subnet" "postgres" {
name = "PostgreSQLSubnet${local.short_service_id}"
virtual_network_name = data.azurerm_virtual_network.ws.name
resource_group_name = data.azurerm_resource_group.ws.name
address_prefixes = [var.address_space]
name = "PostgreSQLSubnet${local.short_service_id}"
virtual_network_name = data.azurerm_virtual_network.ws.name
resource_group_name = data.azurerm_resource_group.ws.name
address_prefixes = [var.address_space]
default_outbound_access_enabled = false

delegation {
name = "psql-delegation"
Expand Down
2 changes: 1 addition & 1 deletion templates/workspaces/base/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-workspace-base
version: 2.8.1
version: 2.8.2
description: "A base Azure TRE workspace"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down
2 changes: 2 additions & 0 deletions templates/workspaces/base/terraform/network/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ resource "azurerm_subnet" "services" {
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
default_outbound_access_enabled = false
}

resource "azurerm_subnet" "webapps" {
Expand All @@ -26,6 +27,7 @@ resource "azurerm_subnet" "webapps" {
# notice that private endpoints do not adhere to NSG rules
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
default_outbound_access_enabled = false

delegation {
name = "delegation"
Expand Down
Loading