How to Implement Network Policy to Restrict Network Access to Azure Resources Based on IP Addresses?

Radu Ifrim 20 Reputation points
2024-02-05T13:23:16.5266667+00:00

Hello, I’m looking for guidance on how to automatically restrict network inbound and outbound traffic to all Azure resources. Specifically, I want to ensure that only users with certain IP addresses can access the endpoints. The challenge is that I’m not sure which specific resources will be created, so I need a solution that covers all Azure resources. When a resource is created I know that the user can assign either a public IP or a private IP to their resources. Regardless of whether a resource has a public or private IP, I want to ensure that the endpoint is accessible only to a certain IP addresses.
What I'm looking for is to implement a network policy that act as an additional layer of protection, similar to a service mesh concept. Could you please provide recommendations, guidance or best practices for achieving this? Ideally, I’d like to set up a policy or configuration that applies to any future Azure resources created within our environment. Thank you in advance for your assistance!

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
921 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sam Cogan 10,752 Reputation points MVP
    2024-02-05T14:37:48.8433333+00:00

    What you are looking for does not exist in Azure. There is no network policy that covers all possible Azure resources. Each resource type has a different way of configuring network restrictions or may not support it all. There are things you could do with Azure policy to restrict resources so that they must have network restrictions enabled and even that they must have specific IPs in the network restrictions, but you would need to create them for each resource type.

    0 comments No comments

  2. David Broggy 5,906 Reputation points MVP
    2024-02-05T14:52:40.6633333+00:00

    If I may suggest, have you looked at Azure Entra SASE?
    The GSA agent has many capabilities on controlling endpoint access by IP and port.
    However it may not have the capability to block by source ip but rather by whatever is supported by Conditional Access in Azure Entra. Reference: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.