![](/img/trans.png)
[英]Add multiple CIDR to SourceAddressPrefix using powershell to Azure NSG rule
[英]Azure Policy to Audit NSG rule sourceAddressPrefix
在 Azure 我有一個 NSG 規則配置如下:
我正在嘗試編寫 Azure 策略,以審核源 IP 地址/CIDR 范圍是否設置不正確。
該值應始終完全等於:192.168.0.0/24,192.168.1.0/24。
如果不是那個確切的值,它應該審計。
這是我寫的定義:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "name",
"like": "jeffweb2-dr-sm-nsg"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"equals": "SQL"
},
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notEquals": [
"192.168.0.0/24",
"192.168.1.0/24"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "audit"
}
}
但是,當嘗試使用此 json 創建定義時,出現錯誤:
New-AzPolicyDefinition : InvalidPolicyRule : Failed to parse policy rule: 'Error reading string. Unexpected token: StartArray. Path 'notEquals'.'.
問題:如何將多個 CIDR 范圍傳遞給 notEquals,我相信這是我的問題。
您可以使用notIn條件代替notEquals來檢查數組中的值。 notIn可以正常工作,因為它需要一個數組,您可以擺脫上述錯誤。
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "name",
"like": "jeffweb2-dr-sm-nsg"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"equals": "SQL"
},
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notIn": [
"192.168.0.0/24",
"192.168.1.0/24"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "audit"
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.