[英]Azure Policy - Deny New Network interfaces in vnets that doesn't have an specific tag
I'm having a hard time to create a policy to deny the creation of.network interfaces when the vnic is not connected to specific .net\su.nets (allowed .nets have a specific tag)当 vnic 未连接到特定的 .net\su.nets(允许 .nets 具有特定标记)时,我很难创建一个策略来拒绝创建 .network 接口
It looks like I can restrict the creation based on the.network interface fields.看起来我可以限制基于.network 接口字段的创建。 In this case the only idea that came to my mind was to have a parameter configured with a list of allowed su.net ids, and deny based on this parameters.
在这种情况下,我想到的唯一想法是使用允许的 su.net id 列表配置一个参数,并根据此参数拒绝。 In this case I would need to build a separated mechanism to update this policy definition (Maybe a powershell script).
在这种情况下,我需要构建一个单独的机制来更新此策略定义(可能是一个 powershell 脚本)。
Just would like to ask if this is a good way to get it done and ask for suggestions,只是想问一下这是否是完成它的好方法并寻求建议,
Thanks Rob谢谢罗布
There is workaround ie built-in policy in azure “require an tag on resources” means under selected resource group when you create any resource without having any tag it will failed .有一种解决方法,即 azure 中的内置策略“需要在资源上添加标签”意味着在选定的资源组下,当您创建任何没有任何标签的资源时,它将失败。 Assign this policy in your resource group.
在您的资源组中分配此策略。
I have named tag 'Rahul' without Rahul Tag I won't be able to create any resource under resource group我已将标签命名为“Rahul”而没有 Rahul 标签我将无法在资源组下创建任何资源
Here I repro and found without any specified tag I cannot able create any resources.在这里,我重现并发现没有任何指定的标签我无法创建任何资源。
Was able to get it done using this:能够使用它完成它:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"count": {
"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
"where": {
"value": "[substring(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),0,lastIndexOf(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),'/'))]",
"notIn": "[parameters('subnetId')]"
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
},
And I'll pupulate the parameter with my vnets using the Set-AzPolicyAssignment to update the parameter.我将使用 Set-AzPolicyAssignment 将参数与我的 vnet 结合起来以更新参数。
I've created a policy with the su.net as a paremeter, and will use Set-AzPolicyAssignment to update the list of allowed su.nets in the policy assignment parameter – TheRob我创建了一个以 su.net 作为参数的策略,并将使用 Set-AzPolicyAssignment 更新策略分配参数中允许的 su.net 列表 – TheRob
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.