System-assigned managed identities in Azure have limitations when it comes to firewall configurations, primarily due to their inherent nature and how they interact with network security settings. Here are some key points to consider:
1. Lack of Direct Firewall Control: System-assigned managed identities are automatically created and managed by Azure resources. They do not provide direct control over firewall configurations. This means that if you need to apply specific firewall rules to a resource, you might find it more challenging with system-assigned identities compared to user-assigned ones, which can be managed more flexibly.
2. Resource-Specific Identity: System-assigned managed identities are tied to the lifecycle of the resource they are assigned to. This means that if you need to apply consistent firewall rules across multiple resources, using system-assigned identities might not be as efficient as using user-assigned identities, which can be shared across resources.
3. Limited Flexibility in Network Configuration: Since system-assigned identities are automatically managed, they do not offer the same level of flexibility in configuring network settings, including firewall rules, as user-assigned identities do. This can be a limitation if you need to implement complex network security configurations.
4. Refresh and Update Limitations: Changes to permissions or group memberships for managed identities, including system-assigned ones, can take several hours to propagate due to token caching. This delay can affect how quickly firewall rule changes take effect if they rely on identity permissions.
Overall, while system-assigned managed identities are convenient for simple scenarios and adhere to the principle of least privilege, they may not be ideal for complex firewall configurations or scenarios requiring more control over network security settings.
Citations:
[1] https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations
[2] https://cloud.google.com/firewall/docs/firewalls
[3] https://www.reddit.com/r/AZURE/comments/xkzxrc/azure_managed_identity_vs_user_assigned_managed/
[4] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/identity-overview.html
[5] https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq
[6] https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity
[7] https://docs.azure.cn/en-us/logic-apps/authenticate-with-managed-identity
[8] https://help.zerto.com/bundle/Install.MA.HTML.90/page/Enabling_User_Assigned_Managed_Identities_and_Setting_Mandatory_Permissions_in_Azure.htm
[9] https://katiekodes.com/entra-azure-system-assigned-managed-identity/