Policy to block the creation of NSGs with rules that allow RDP or SSH access from the Internet

VELASCO Alan M. TENARIS 40 Reputation points
2023-09-22T18:38:38.38+00:00

I have been creating a policy that should allow the creation of private IP Network Security Groups (NSGs) in the following IP range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) with the ports SSH and RDP.

I have a problem and it is that I do not know how to specify in my JSON the IP range in which I can create the NSG.

So far my policy blocks the creation of an NSG with RDP and SSH ports and allows the creation of an NSG from only these 3 private IP addresses which are (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) with RDP ports and SSH.

My objetive is to allow you to create an NSG of a private IP on ports 22 and 3389 and have the policy block everything else.

My jSON:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
          "equals": "Allow"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
          "equals": "Inbound"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
              "in": [
                "22",
                "3389"
              ]
            }
          ]
        },
        {
          "not": {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
            "in": [
              "10.0.0.0/8",
              "172.16.0.0/12",
              "192.168.0.0/16"
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
924 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,251 Reputation points MVP
    2023-09-22T23:52:17.8933333+00:00

    Hello @VELASCO Alan M. TENARIS !

    My policy which is Tested does not allow to create an Inbound Rule other than 22, or 3389 to the Destination IPs that are included in the Policy or any other IP

    Remember the Policy has to appear as "Started" to take effect it needs 5-10 minutes

    User's image

    If you try to create an Ibound rule other than 3389 or 22 it wll deny it

    User's image

    Be aware this is the exact defiition ,the code above was the whole policy !

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
              "equals": "Allow"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
              "equals": "Inbound"
            },
            {
              "not": {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "in": [
                      "22",
                      "3389"
                    ]
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "in": [
                      "10.0.0.0/8",
                      "172.16.0.0/12",
                      "192.168.0.0/16"
                    ]
                  }
                ]
              }
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }
    

    Maybe i dont undertand what you want ...since your policy does block already the Inbound Rules what else do you need ?

    You said : So far my policy blocks the creation of an NSG with RDP and SSH ports and allows the creation of an NSG from only these 3 private IP addresses which are (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) with RDP ports and SSH.

    So it does it already? saying from you mean source ? And then you add : My objetive is to allow you to create an NSG of a private IP on ports 22 and 3389 and have the policy block everything else.

    Now i have created a new policy and let me remind you the Steps:

    Azure Policy - New Definition to the Subsctption Scope

    Add the Code

    Save , and then Assign the Definition to the Subscription ,

    Wait to become Started !

    Here is a new one that does exaclty that : Allows only Inbound Rules on 22 and 3389 FROM only the IPs shown , (Source IP Control )

    Everything else is denied - Tested and Validated

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
              "equals": "Allow"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
              "equals": "Inbound"
            },
            {
              "not": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "in": ["22", "3389"]
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "in": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
                  }
                ]
              }
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }
    
    
    

    THis is the definition , follow the steps above to make it Active !

    If this is not what you want lets clear it Out :

    Source IP :................... Please select which sources do you want to control

    Soure Port : ............... Please select if you need specific SOURCE ports

    Destination IPs :..............Please Select Destination IPs to control

    Destination Ports :...........Please select destination ports


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


4 additional answers

Sort by: Most helpful
  1. Ryan Hill 28,716 Reputation points Microsoft Employee
    2023-09-27T16:34:04.63+00:00

    Hey @VELASCO Alan M. TENARIS

    I wanted to chime in. The last policy that @Konstantinos Passadis provided should fit the bill. But I think what you may be looking for is a policy that pattern matches. To create a policy that enforces a rule denying an RFC1918 address access to RDP and SSH, try this.

    {
      "mode": "all",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
              "equals": "Allow"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
              "equals": "Inbound"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                  "in": [
                    "22",
                    "3389"
                  ]
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                  "in": [
                    "10.?.?.?",
                    "172.16.?.?",
                    "192.168.?.?"
                  ]
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                  "in": [
                    "10.?.?.?",
                    "172.16.?.?",
                    "192.168.?.?"
                  ]
                }
              ]
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }
    

    You can probably include the RFC1918 CIDR notations as well.


  2. Godwin Simeon (Tek Experts) 0 Reputation points Microsoft Vendor
    2024-07-01T09:27:25.37+00:00

    the above policies can deny creation of nsg but cannot deny the creation of the nsg when using virtual machines.

    0 comments No comments

  3. Konstantinos Passadis 19,251 Reputation points MVP
    2023-09-22T19:00:01.39+00:00

    Hello @VELASCO Alan M. TENARIS !

    This is what my policy does

    It does not allow anything else except the declared ones ;

    For exampe if i try to allow Port 80 8 it denys

    {
      "properties": {
        "displayName": "Set2",
        "policyType": "Custom",
        "mode": "All",
        "metadata": {
          "createdBy": "9884bbf1-82e3-48ff-a163-bf53c9972b8a",
          "createdOn": "2023-09-22T18:44:50.7166587Z",
          "updatedBy": null,
          "updatedOn": null
        },
        "parameters": {},
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "not": {
                  "anyOf": [
                    {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                      "in": [
                        "22",
                        "3389"
                      ]
                    },
                    {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                      "in": [
                        "10.0.0.0/8",
                        "172.16.0.0/12",
                        "192.168.0.0/16"
                      ]
                    }
                  ]
                }
              }
            ]
          },
          "then": {
            "effect": "deny"
          }
        }
      },
      "id": "/subscriptions/xx/providers/Microsoft.Authorization/policyDefinitions/xxx",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "xx",
      "systemData": {
        "createdBy": "xx",
        "createdByType": "User",
        "createdAt": "2023-09-22T18:44:50.6952821Z",
        "lastModifiedBy": "xx",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2023-09-22T18:44:50.6952821Z"
      }
    }
    
    
    

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  4. Konstantinos Passadis 19,251 Reputation points MVP
    2023-09-26T14:58:18.01+00:00

    Hello @VELASCO Alan M. TENARIS !

    Here is the Final and tested Policy you need!

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
              "equals": "Inbound"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                  "notIn": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                  "notIn": ["22", "3389"]
                }
              ]
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {},
      "description": "Restrict NSG Inbound rules to allow traffic only from specific IP ranges and ports 22, 3389."
    }
    
    
    

    I went through some trial and errot but finally this is the one !


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.