How to Restrict Any/Any RDP & SSH access on network security groups using Azure Policy?
Question
I am trying to deny the creation of NSG rules with ports SSH & RDP exposed to any IP address. I would like the rule to be able to exist if source IP addresses are provided for restriction. I have been able to successfully block the opening of ports 22 and 3389 using Azure Policy, but haven't been able to get Azure Policy to decipher whether to allow or Deny depending on if source IPs are listed or not.
Here is the Policy:
{
"if": {
"allOf": [
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "*"
}
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "22"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "3389"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
When this Policy is applied I am still able to create a anyany NSG rule on ports 22 and/or 3389, as if the policy were not in affect. As mentioned before I did get a Policy working that blocked RDP and SSH in any situation
I pulled the fields in the Json using the Azure CLI. Here is the list:
Microsoft.Network/networkSecurityGroups/securityRules[*].protocol
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].priority
Microsoft.Network/networkSecurityGroups/securityRules[*].direction
Microsoft.Network/networkSecurityGroups/securityRules[*].access
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].description
Microsoft.Network/networkSecurityGroups/securityRules[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules[*].name
Microsoft.Network/networkSecurityGroups/securityRules[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*]
Microsoft.Network/networkSecurityGroups/securityRules
Microsoft.Network/networkSecurityGroups/securityRules[*].id
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRanges
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].resourceGuid
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].id
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].name
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].type
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].location
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].tags
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules/protocol
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRange
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules/priority
Microsoft.Network/networkSecurityGroups/securityRules/direction
Microsoft.Network/networkSecurityGroups/securityRules/access
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules/description
Microsoft.Network/networkSecurityGroups/securityRules/provisioningState
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].resourceGuid
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].id
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].name
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].type
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].location
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].tags
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups
If I could please receive some assistance on determining what I may have wrong, it would be greatly appreciated.
1 answers
solution1
0 2019-09-13 16:09:35
IMHO, this cannot be achieved using Azure Policies (alone). Azure Policies are used to enforce different rules and effects over your resources , rather than on the entities performing them.
Therefore, consider exploring other services like RBAC or Conditional Access , which offer more features and control over aspects like geo-location .
solution2
-2 2021-12-27 09:02:52
@javierma14 - 你有同样的解决方案吗?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to access Azure Key Vault with Network Security Policy enables?
Is there any way how to restrict access/buy at Azure Marketplace?
Access Azure VM without using RDP or any other third party apps
Azure Storage - Restrict IP in SAS when using Stored Access Policy
Using Azure AD Roles or Groups to restrict access to certain pages?
Azure Connection SSH and RDP
Azure - How to append new IP to SourceAddressPrefix for multiple Network Security Groups
How to restrict "Publisher" by Azure Policy
Azure ARM VM creation with Network Security Groups
Azure Network Security Groups not working? (attached to subnet)
Related Tags