Azure Policy built-in definitions for Azure Virtual Network
This page is an index of Azure Policy built-in policy definitions for Azure Virtual Network. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Virtual Network
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections | This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 | Audit, Disabled | 1.0.0 |
All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
Azure Application Gateway should be deployed with Azure WAF | Requires Azure Application Gateway resources to be deployed with Azure WAF. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Classic Rules should be migrated to Firewall Policy | Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy Analytics should be Enabled | Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance | Audit, Disabled | 1.0.0 |
Azure Firewall Policy should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy should have DNS Proxy Enabled | Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server | Audit, Disabled | 1.0.0 |
Azure Firewall should be deployed to span multiple Availability Zones | For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard - Classic Rules should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard should be upgraded to Premium for next generation protection | If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. | Audit, Deny, Disabled | 1.0.0 |
Azure VPN gateways should not use 'basic' SKU | This policy ensures that VPN gateways do not use 'basic' SKU. | Audit, Disabled | 1.0.0 |
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
Bot Protection should be enabled for Azure Application Gateway WAF | This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies | Audit, Deny, Disabled | 1.0.0 |
Bot Protection should be enabled for Azure Front Door WAF | This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies | Audit, Deny, Disabled | 1.0.0 |
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace | Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.1 |
Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.2 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | deployIfNotExists | 1.1.0 |
Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | DeployIfNotExists, Disabled | 1.1.1 |
Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | DeployIfNotExists | 1.0.0 |
Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Audit, Deny, Disabled | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.1.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Audit, Deny, Disabled | 1.0.0 |
Network interfaces should disable IP forwarding | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. | deny | 1.0.0 |
Network interfaces should not have public IPs | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. | deny | 1.0.0 |
Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Audit, Disabled | 1.0.1 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Public IPs and Public IP prefixes should have FirstPartyUsage tag | Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. | Audit, Deny, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be private | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny, Disabled | 1.0.0 |
Virtual Hubs should be protected with Azure Firewall | Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify, Audit, Disabled | 1.0.1 |
Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | AuditIfNotExists, Disabled | 1.0.0 |
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users | Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant | Audit, Deny, Disabled | 1.0.0 |
Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Audit, Deny, Disabled | 1.0.0 |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Audit, Deny, Disabled | 1.0.0 |
Tags
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Add a tag to resource groups | Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Add a tag to resources | Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. | modify | 1.0.0 |
Add a tag to subscriptions | Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | modify | 1.0.0 |
Add or replace a tag on resource groups | Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. | modify | 1.0.0 |
Add or replace a tag on resources | Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. | modify | 1.0.0 |
Add or replace a tag on subscriptions | Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | modify | 1.0.0 |
Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | append | 1.0.0 |
Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | append | 1.0.0 |
Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | append | 1.0.1 |
Inherit a tag from the resource group | Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | modify | 1.0.0 |
Inherit a tag from the resource group if missing | Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | modify | 1.0.0 |
Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | deny | 1.0.0 |
Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | deny | 1.0.1 |
Require a tag on resource groups | Enforces existence of a tag on resource groups. | deny | 1.0.0 |
Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | deny | 1.0.1 |
General
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Allowed locations | This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | deny | 1.0.0 |
Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | deny | 1.0.0 |
Allowed resource types | This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. | deny | 1.0.0 |
Audit resource location matches resource group location | Audit that the resource location matches its resource group location | audit | 2.0.0 |
Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
Configure subscriptions to set up preview features | This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.1 |
Do not allow deletion of resource types | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. | DenyAction, Disabled | 1.0.1 |
Do Not Allow M365 resources | Block creation of M365 resources. | Audit, Deny, Disabled | 1.0.0 |
Do Not Allow MCPP resources | Block creation of MCPP resources. | Audit, Deny, Disabled | 1.0.0 |
Exclude Usage Costs Resources | This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. | Audit, Deny, Disabled | 1.0.0 |
Not allowed resource types | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. | Audit, Deny, Disabled | 2.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.