Hi, we are experimenting with Azure Blueprints and the PCI-DSS standard. We have already got many resources compliant, such as virtual machines, which have the option "Diagnostic settings" in monitoring. However, the resource publicIPAddress does not have "Diagnostic settings". So we cannot get this compliant for the policy "Audit diagnostic setting" at all. Is there no other choice but to create an exemption for this or have we missed something? Best regards Frank Schullerer

<<Converting from comments to answer for broader community usage.>> @Frank Schullerer Post initial analysis of you scenario , diagnostic settings are available for Public IP address resources (see below screenshot for the same) Alternatively, you can also elect not to include this resource type during blueprint assignment time. Please refer to below Hope this information helps, if you have any further queries please feel free to circle back. Thanks

Azure blueprint PCI v3.2.1:2018: A publicIPAddress resource is Non-Compliant for policy "Audit diagnostic setting"

Accepted answer

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-01-29T16:49:50.817+00:00

<<Converting from comments to answer for broader community usage.>>

@Frank Schullerer Post initial analysis of you scenario , diagnostic settings are available for Public IP address resources (see below screenshot for the same)

Alternatively, you can also elect not to include this resource type during blueprint assignment time. Please refer to below

Hope this information helps, if you have any further queries please feel free to circle back. Thanks
Please sign in to rate this answer.
Frank Schullerer 141 Reputation points

2021-01-30T21:26:20.97+00:00

Hi,

thanks for welcoming me and for your answer!

I wonder why my view of the publicIPAddress does not include the Diagnostic Settings (see screenshot) . What could be the reason for this?

Thanks in advance!

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-02-01T00:09:51.46+00:00

@Frank Schullerer - Thank you for circling back on this. The possible reason that you don't see the Diagnostic settings in the UI is because of the "Public IP Address" SKU being Standard.

However, I see the Diagnostic Settings in the UI if the "Public IP Address" SKU is basic.

Hope this information helps. Please let us know if you have any further queries. Thank you.

Frank Schullerer 141 Reputation points

2021-02-01T11:23:36.213+00:00

Thanks for the support!
I haven't quite understood yet: do I have to do a SKU downgrade for the public IP address? I thought standard was higher than basic (SKU)? By the way, I can't see the last screenshots 62264-publicip-standard.png and 62265-publicip-basic.png.
Thanks in advance!

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-02-03T07:15:58.513+00:00

Thank you @Frank Schullerer for your response.

Apologies the screenshots didn't come through in the previous response, I tried to re-add them now. Hopefully you can see it now. Please let me know if you don't see them.

Now that as you call out why the diagnostic setting is enabled for Basic and not standard, that's something interesting which I am also not fully aware and will have to run by our internal teams and understand what was the reasoning behind this and keep you updated as I get more information.

Just sharing this in case you want to go through documentation on Public IP Addresses and SKU's , as additional reference. Thanks

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-02-04T21:53:41.447+00:00

@Frank Schullerer Thanks for being patient on this.

Apologies for the issues you are seeing. Seems that our team is already of this issue and working through to fix this and have an open item to enable diagnostics blade for Standard SKU as well. Unfortunately we don't have an ETA on this, however until then we have below workaround in place.

You can go to the Azure Monitor blade, then the diagnostic settings blade, and enable diagnostic settings for your Standard SKU public IP address from this page.

Hope this information helps, thanks again for reaching out. Looking forward to see you come back to Microsoft Q&A community platform to get your Azure questions answered.

Frank Schullerer 141 Reputation points

2021-02-05T17:00:47.29+00:00

Thanks again for great support!

Now I can setup the needed diagnostic settings.
Please note that this issue also applies to the "networkInterfaces". But maybe your colleagues already know that.

Thanks

Frank Schullerer

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-02-05T18:09:43.923+00:00

@Frank Schullerer Glad to hear that you are able to setup the diagnostic settings now. Thanks for pointing it out about "NetworkInterfaces" as well , I am positive that the team should be considering this as well. However will double check with the team and make sure its covered as well.
Sign in to comment

Share via

Azure blueprint PCI v3.2.1:2018: A publicIPAddress resource is Non-Compliant for policy "Audit diagnostic setting"

0 additional answers