Skip to content

Change network isolation policy from Permissive to Preferred in 1ES pipeline template #47898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Change network isolation policy from Permissive to Preferred in 1ES pipeline template #47898

Copilot wants to merge 4 commits into from
+1 −1

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

Changes networkIsolationPolicy from Permissive to Preferred in the 1ES pipeline template to use a more secure network isolation policy while still allowing access to common public services.

Changes

  • Changed networkIsolationPolicy: Permissive to networkIsolationPolicy: Preferred in eng/pipelines/templates/stages/1es-redirect.yml
  • Retained the associated comment referencing the 1ES network isolation documentation

Impact

Pipelines will now use the Preferred network isolation policy, which provides a balanced approach between security and functionality. This policy allows access to common public services (GitHub, NuGet, Maven Central, etc.) while maintaining better security than the Permissive policy.

The Preferred policy is the recommended setting for common use cases and should not cause breaking changes for typical pipeline jobs that use standard public services.

Original prompt

Create a draft pull request in Azure/azure-sdk-for-java that removes the networkIsolationPolicy: Permissive setting from eng/pipelines/templates/stages/1es-redirect.yml.

Requirements

  • Edit only what is necessary to remove networkIsolationPolicy: Permissive from the YAML.
  • Ensure the YAML remains valid and pipeline behavior is otherwise unchanged.
  • If there are related references or comments explaining the setting, update them accordingly.

Validation

  • Confirm the pipeline template YAML passes basic YAML validation.
  • If the repository has a pipeline/template linting step or validation command documented, run it and include results in the PR description.

Notes

  • Make the PR a draft.
  • Include a clear PR title and description explaining why the permissive network isolation policy is being removed and any potential impact.

This pull request was created from Copilot chat.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@raych1
Remove networkIsolationPolicy: Permissive from 1es-redirect.yml
b2b40c0 
Co-authored-by: raych1 <20296335+raych1@users.noreply.github.com>
Copilot AI changed the title [WIP] Remove networkIsolationPolicy from YAML pipeline Remove permissive network isolation policy from 1ES pipeline template Feb 4, 2026
Copilot AI requested a review from raych1 February 4, 2026 20:02
raych1
raych1 reviewed Feb 4, 2026
View reviewed changes
eng/pipelines/templates/stages/1es-redirect.yml
skipBuildTagsForGitHubPullRequests: true
# Set network isolation policy to Preferred to allow access to common public services like GitHub, NuGet, Maven Central, etc.
# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation#shared-policies-for-common-use-cases
networkIsolationPolicy: Permissive
Copy link
Member

@raych1 raych1 Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot change it to "networkIsolationPolicy: Preferred"

Copy link
Contributor Author

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to networkIsolationPolicy: Preferred in commit 53b492d.

@raych1
Change networkIsolationPolicy from Permissive to Preferred
53b492d 
Co-authored-by: raych1 <20296335+raych1@users.noreply.github.com>
Copilot AI changed the title Remove permissive network isolation policy from 1ES pipeline template Change network isolation policy from Permissive to Preferred in 1ES pipeline template Feb 4, 2026
Copilot AI requested a review from raych1 February 4, 2026 20:18
raych1
raych1 reviewed Feb 4, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raych1 raych1 raych1 left review comments

@weshaggard weshaggard Awaiting requested review from weshaggard weshaggard will be requested when the pull request is marked ready for review weshaggard is a code owner

@benbp benbp Awaiting requested review from benbp benbp will be requested when the pull request is marked ready for review benbp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@raych1 raych1

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raych1