stackoom
  简体   繁体   中英

Azure Policy - Deny New Network interfaces in vnets that doesn't have an specific tag

 原文  2021-07-27 21:05:55       azure/ azure-virtual-network/ azure-policy

Question

I'm having a hard time to create a policy to deny the creation of.network interfaces when the vnic is not connected to specific .net\su.nets (allowed .nets have a specific tag)

It looks like I can restrict the creation based on the.network interface fields. In this case the only idea that came to my mind was to have a parameter configured with a list of allowed su.net ids, and deny based on this parameters. In this case I would need to build a separated mechanism to update this policy definition (Maybe a powershell script).

Just would like to ask if this is a good way to get it done and ask for suggestions,

Thanks Rob

3 answers

solution1
 0  2021-07-29 09:47:33

There is workaround ie built-in policy in azure “require an tag on resources” means under selected resource group when you create any resource without having any tag it will failed . Assign this policy in your resource group.

在此处输入图片说明

I have named tag 'Rahul' without Rahul Tag I won't be able to create any resource under resource group

在此处输入图片说明

Here I repro and found without any specified tag I cannot able create any resources.

在此处输入图片说明

solution2
 0  2021-07-29 20:54:13

Was able to get it done using this:

"policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkInterfaces"
        },
        {
          "count": {
            "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
            "where": {
              "value": "[substring(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),0,lastIndexOf(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),'/'))]",
              "notIn": "[parameters('subnetId')]"
            }
          },
          "greater": 0
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },

And I'll pupulate the parameter with my vnets using the Set-AzPolicyAssignment to update the parameter.

solution3
 0  2021-08-20 22:37:31

I've created a policy with the su.net as a paremeter, and will use Set-AzPolicyAssignment to update the list of allowed su.nets in the policy assignment parameter – TheRob

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kubernetes network policy deny-all policy not blocking basic communication Azure policy - "deny" subscription creation if certain tags are not set Azure VNets: "Evaluation Order" of NSGs and UDRs Kubernetes Network Policy - Allowing traffic to service over specific port only Azure Custom Tag Policy, Exclude resource type Odd result, error creating Azure KeyVault Policy based on existing BuiltIn Policy - provider referenced by the 'field' property doesn't exist Should Azure app service and SQL Server be in different VNets? unable to apply json deny policy using gcloud AWS Policy deny access on all production resources How to transform the excel file which doesn't have the column header in Azure Data Factory
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM