堆栈内存溢出
  简体   繁体   English

Azure 策略不拒绝创建路由

[英]Azure Policy Not Denying Route Creation

 原文  2022-03-22 19:16:59       json/ azure/ azure-policy

问题描述

I want to make an Azure policy that denies anyone trying to create a route to certain prefixes that don't use the next hop virtual appliance parameter and IP that I specify.我想制定一个 Azure 策略,拒绝任何人尝试创建到某些前缀的路由,这些前缀不使用我指定的下一跃点虚拟设备参数和 IP。 I have this working with just a single prefix (0.0.0.0/0 inte.net route) but as soon as I try to define other routes (10.0.0.0/8) it doesn't work.我只使用一个前缀(0.0.0.0/0 inte.net 路由)来工作,但是一旦我尝试定义其他路由 (10.0.0.0/8),它就不起作用了。 Here is what I have so far:这是我到目前为止所拥有的:

{
    "mode": "All",
    "policyRule": {
        "if": {
            "anyOf": [
                {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Network/routeTables"
                        },
                        {
                            "count": {
                                "field": "Microsoft.Network/routeTables/routes[*]",
                                "where": {
                                    "anyOf": [
                                        {
                                            "field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
                                            "equals": "0.0.0.0/0"
                                        },
                                        {
                                            "anyOf": [
                                                {
                                                    "field": "Microsoft.Network/routeTables/routes[*].nextHopType",
                                                    "notEquals": "VirtualAppliance"
                                                },
                                                {
                                                    "field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
                                                    "notEquals": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
                                                }
                                            ]
                                        },
                                        {
                                            "field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
                                            "equals": "10.0.0.0/8"
                                        },
                                        {
                                            "anyOf": [
                                                {
                                                    "field": "Microsoft.Network/routeTables/routes[*].nextHopType",
                                                    "notEquals": "VirtualAppliance"
                                                },
                                                {
                                                    "field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
                                                    "notEquals": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
                                                }
                                            ]
                                        }
                                    ]
                                }
                            },
                            "greater": 0
                        }
                    ]
                },
                {
                    "anyOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Network/routeTables/routes"
                        },
                        {
                            "field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
                            "equals": "0.0.0.0/0"
                        },
                        {
                            "anyOf": [
                                {
                                    "field": "Microsoft.Network/routeTables/routes/nextHopType",
                                    "notEquals": "VirtualAppliance"
                                },
                                {
                                    "field": "Microsoft.Network/routeTables/routes/nextHopIpAddress",
                                    "notEquals": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
                                }
                            ]
                        },
                        {
                            "field": "type",
                            "equals": "Microsoft.Network/routeTables/routes"
                        },
                        {
                            "field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
                            "equals": "10.0.0.0/8"
                        },
                        {
                            "anyOf": [
                                {
                                    "field": "Microsoft.Network/routeTables/routes/nextHopType",
                                    "notEquals": "VirtualAppliance"
                                },
                                {
                                    "field": "Microsoft.Network/routeTables/routes/nextHopIpAddress",
                                    "notEquals": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
                                }
                            ]
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "deny"
        }
    },
    "parameters": {
        "routeTableSettings": {
            "type": "Object",
            "metadata": {
                "displayName": "Route Table Settings",
                "description": "Location-specific settings for route tables."
            }
        }
    }
}

Parameters参数

{
    "eastus2": {
        "virtualApplianceIpAddress": "10.1.1.1"
    },
    "disabled": {
        "virtualApplianceIpAddress": ""
    }
}

1 个解决方案

解决方案1
 -1  2022-03-24 08:49:37

To achieve the above requirement we need to use IN clause in our azure policy to deny/not allow the resource type to create.为了实现上述要求,我们需要在 azure 策略中使用IN子句来拒绝/不允许创建资源类型。

As suggested by @ harshavmb in comment which is correct.正如@harsavmb在评论中所建议的那样是正确的。 Posting it as an answer to help other community members to find fix their issue for the same.将其作为答案发布,以帮助其他社区成员找到解决相同问题的方法。 The MS DOC has an example how to use the in with policy rule: MS DOC有一个如何使用in with policy 规则的示例:

{
    "properties": {
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "mode": "Indexed",
        "metadata": {
            "version": "1.0.0",
            "category": "Locations"
        },
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                },
                "defaultValue": [ "westus2" ]
            }
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "location",
                    "in": "[parameters('allowedLocations')]"
                }
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

Also from Azure portal>Policy> Not allowed resource we can find the json with in clause.同样从 Azure 入口 > 政策 > 不允许的资源我们可以找到json with in条款。 As shown below:如下所示: 在此处输入图像描述

For more information please refer the below links:-有关更多信息,请参阅以下链接:-

MICROSOFT DOCUMENTATION:- Not_allowed_resource_types微软文档:- Not_allowed_resource_types

BLOG:- AZURE POLICY TO DENY CREATION OF ALL RESOURCES博客:- AZURE 拒绝创建所有资源的政策

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure 策略 - 如果未设置某些标签,则“拒绝”创建订阅 - Azure policy - "deny" subscription creation if certain tags are not set NotPrincipal 拒绝访问的 AWS S3 存储桶策略 - AWS S3 Bucket Policy with NotPrincipal denying access Azure 策略错误:CaseSensitiveDeploymentParameterNamesFound - Azure policy error: CaseSensitiveDeploymentParameterNamesFound 使用 Terraform 创建 Azure 策略 - Create Azure policy with Terraform Azure 策略无效部署 - Azure Policy Invalid Deployment Azure 策略无法使用 deployIfNotExists 部署策略分配 - Azure policy fails to deploy a policy assignment with deployIfNotExists Azure 空值策略检查 - Azure Policy check for an empty value 具有混合实例策略的 Auto Scaling 组的 AWS 创建策略 - AWS Creation Policy for Auto Scaling Group with Mixed Instances Policy 检查 Azure 策略中的 null 值 - Check for null value in Azure Policy Azure 容器的生命周期策略不起作用 - Azure lifecycle policy for container is not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM