how to deny vnet peering between two management groups?

Question

how to deny vnet peering between two management groups?

sonia sonia 20

Hi all,

We are trying to deny vent peering between two management groups scope but not sure how can we accomplish. Can any one help with this?

Thanks

KapilAnanth-MSFT 49,016 Reputation points Microsoft Employee

2023-02-14T05:30:01.12+00:00

@sonia sonia

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to deny the creation of VNet peering across management groups.

Can you please elaborate more on your requirement.

Are you looking to prevent users from creating a Peering between VNets that are in two different Management groups?

Cheers,

Kapil
sonia sonia 20 Reputation points

2023-02-15T02:53:26.8933333+00:00

Hello Kapil,

Thank you for the reply.

We have two management groups lets say A and B. Looking for a policy or any other workaround to deny the creation of vnet peering between A and B.

Checked in policy but there is a policy in subscription scope but not management scope, I am looking for management level scope to deny vnet peering . For example, if a user created new vnet in A managment group that vnet should not peer with any of the B management group.

Thanks
Fabricio Godoy 2,611 Reputation points

2023-02-15T06:18:38.7833333+00:00
Helo Sonia.

To deny VNet peering between two Azure Management Groups, you can use Azure Policy to create a policy definition that restricts the ability to peer VNets across management groups.

u can use the Azure Policy portal, Azure PowerShell, or Azure CLI to create the policy

ex:

{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "Microsoft.Network/virtualNetworkPeerings", "exists": "true" }, { "field": "Microsoft.Network/virtualNetworkPeerings/remoteVirtualNetwork.id", "notLike": "/providers/Microsoft.Management/managementGroups/*" } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Assign the policy to a management group. (you can choose to apply it to all child management groups and subscriptions)

I hope this is help u.

Regards
Fabricio Godoy 2,611 Reputation points

2023-02-17T01:59:00.2566667+00:00

Hello @sonia sonia
any comments ? this is help you?
please, don't forget to upvote if yes

Accepted answer

0 additional answers

Your answer

KapilAnanth-MSFT 49,016 Reputation points Microsoft Employee

2023-02-14T05:30:01.12+00:00

@sonia sonia

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to deny the creation of VNet peering across management groups.

Can you please elaborate more on your requirement.

Are you looking to prevent users from creating a Peering between VNets that are in two different Management groups?

Cheers,

Kapil
sonia sonia 20 Reputation points

2023-02-15T02:53:26.8933333+00:00

Hello Kapil,

Thank you for the reply.

We have two management groups lets say A and B. Looking for a policy or any other workaround to deny the creation of vnet peering between A and B.

Checked in policy but there is a policy in subscription scope but not management scope, I am looking for management level scope to deny vnet peering . For example, if a user created new vnet in A managment group that vnet should not peer with any of the B management group.

Thanks
Fabricio Godoy 2,611 Reputation points

2023-02-15T06:18:38.7833333+00:00

Helo Sonia.

To deny VNet peering between two Azure Management Groups, you can use Azure Policy to create a policy definition that restricts the ability to peer VNets across management groups.

u can use the Azure Policy portal, Azure PowerShell, or Azure CLI to create the policy

ex:

{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "Microsoft.Network/virtualNetworkPeerings", "exists": "true" }, { "field": "Microsoft.Network/virtualNetworkPeerings/remoteVirtualNetwork.id", "notLike": "/providers/Microsoft.Management/managementGroups/*" } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Assign the policy to a management group. (you can choose to apply it to all child management groups and subscriptions)

I hope this is help u.

Regards
Fabricio Godoy 2,611 Reputation points

2023-02-17T01:59:00.2566667+00:00

Hello @sonia sonia
any comments ? this is help you?
please, don't forget to upvote if yes

Answer 1

Helo Sonia.

To deny VNet peering between two Azure Management Groups, you can use Azure Policy to create a policy definition that restricts the ability to peer VNets across management groups.

u can use the Azure Policy portal, Azure PowerShell, or Azure CLI to create the policy

ex:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "Microsoft.Network/virtualNetworkPeerings",
          "exists": "true"
        },
        {
          "field": "Microsoft.Network/virtualNetworkPeerings/remoteVirtualNetwork.id",
          "notLike": "/providers/Microsoft.Management/managementGroups/*"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Assign the policy to a management group. (you can choose to apply it to all child management groups and subscriptions)

I hope this is help u.

Regards

Share via

how to deny vnet peering between two management groups?

0 additional answers

Your answer