I'm having a hard time to create a policy to deny the creation of.network interfaces when the vnic is not connected to specific .net\su.nets (allowed .nets have a specific tag)
It looks like I can restrict the creation based on the.network interface fields. In this case the only idea that came to my mind was to have a parameter configured with a list of allowed su.net ids, and deny based on this parameters. In this case I would need to build a separated mechanism to update this policy definition (Maybe a powershell script).
Just would like to ask if this is a good way to get it done and ask for suggestions,
Thanks Rob
There is workaround ie built-in policy in azure “require an tag on resources” means under selected resource group when you create any resource without having any tag it will failed . Assign this policy in your resource group.
I have named tag 'Rahul' without Rahul Tag I won't be able to create any resource under resource group
Here I repro and found without any specified tag I cannot able create any resources.
Was able to get it done using this:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"count": {
"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
"where": {
"value": "[substring(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),0,lastIndexOf(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),'/'))]",
"notIn": "[parameters('subnetId')]"
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
},
And I'll pupulate the parameter with my vnets using the Set-AzPolicyAssignment to update the parameter.
I've created a policy with the su.net as a paremeter, and will use Set-AzPolicyAssignment to update the list of allowed su.nets in the policy assignment parameter – TheRob
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.