Hi I am building my azure infrastructure using bicep templates https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/deployment-templates when I run my pipeline in devops I get the following error. What other files should I edit to disable public network access? Resource xxxx was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : Azure Key Vault should disable public network access, Policy Assignment Name : Deny-Public-Endpoints. but my Keyvault.bicep file specifies publicNetworkAccess: 'Disabled'

@Azure Newbie Thank you for your post! Error Message: Resource xxxx was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : Azure Key Vault should disable public network access, Policy Assignment Name : Deny-Public-Endpoints. I understand that you're building out your Azure Infrastructure using Bicep templates but you're running into the error above when deploying your Key Vault with publicNetworkAccess: 'Disabled' . To hopefully help resolve your issue or point you in the right direction, in addition to your bicep file specifying publicNetworkAccess: 'Disabled' , you should also ensure that your template has the networkAcls property , and that it's reflecting "Deny" . NetworkRuleSet: "properties": { "sku": { "family": "A", "name": "Standard" }, "tenantId": "tenantID", "networkAcls": { "bypass": "AzureServices", "defaultAction": "Deny", "ipRules": [], "virtualNetworkRules": [] }, "accessPolicies": [ Additional Links: Bicep Resource format VaultProperties I hope this helps! If you have any other questions, please let me know. Thank you for your time and patience throughout this issue. If the information helped address your question, please Accept the answer . This will help us and also improve searchability for others in the community who might be researching similar information.

KeyVault in Azure bicep template

Accepted answer

JamesTran-MSFT 36,366 Reputation points Microsoft Employee

2023-05-25T20:56:39.2033333+00:00
@Azure Newbie

Thank you for your post!

Error Message:

Resource xxxx was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : Azure Key Vault should disable public network access, Policy Assignment Name : Deny-Public-Endpoints.

I understand that you're building out your Azure Infrastructure using Bicep templates but you're running into the error above when deploying your Key Vault with publicNetworkAccess: 'Disabled'.

To hopefully help resolve your issue or point you in the right direction, in addition to your bicep file specifying publicNetworkAccess: 'Disabled', you should also ensure that your template has the networkAcls property, and that it's reflecting "Deny".

NetworkRuleSet:

"properties": { "sku": { "family": "A", "name": "Standard" }, "tenantId": "tenantID", "networkAcls": { "bypass": "AzureServices", "defaultAction": "Deny", "ipRules": [], "virtualNetworkRules": [] }, "accessPolicies": [

Additional Links:

Bicep Resource format

VaultProperties

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Please sign in to rate this answer.
Azure Newbie 70 Reputation points

2023-05-25T21:49:42.64+00:00

@JamesTran-MSFT hi James my keyvault.bicep file already has this property set to deny. Could you check what else I might be missing?

resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' = { name: keyvaultName location: location tags: tags properties: { accessPolicies: [] createMode: 'default' enabledForDeployment: false enabledForDiskEncryption: false enabledForTemplateDeployment: false enablePurgeProtection: true enableRbacAuthorization: true enableSoftDelete: true networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' ipRules: [] virtualNetworkRules: [] } sku: { family: 'A' name: 'standard' } softDeleteRetentionInDays: 7 tenantId: subscription().tenantId publicNetworkAccess: 'Disabled' }

JamesTran-MSFT 36,366 Reputation points Microsoft Employee

2023-05-25T22:25:39.41+00:00

@Azure Newbie

Thank you for following up on this!

I've reached out to our Key Vault team regarding your issue and will update as soon as possible. In the meantime, from what you shared it looks like you should have everything correctly configured. However, since you're still receiving a policy violation error when deploying your Key Vault, can you also make sure that your Azure Policy is correctly configured, scoped, and isn't being overwritten by any other policy or initiative?

Since you're trying to build out your Azure Infrastructure, if you'd like to work closer with our Key Vault team through a one-time free technical support request to get this issue resolved, please let me know and I'd be happy to work with you to enable this.

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

JamesTran-MSFT 36,366 Reputation points Microsoft Employee

2023-05-31T19:09:42.2066667+00:00

@Azure Newbie

Thank you for your time and patience on this issue!

I received a response from our Key Vault team and if your Azure Policy is working as intended, your Bicep file is specifying publicNetworkAccess: 'Disabled', this could be related to where you're placing the publicNetworkAccess property (i.e. in an incorrect location within your template).

In order to properly troubleshoot your Bicep file, it was recommended that our Key Vault support team take a closer look into your issue and environment. Can you please email me with the info below, I'll enable a one-time free technical support request for your subscription so you can work with our engineers to get this issue resolved.

<<Removed Email Instructions>>

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

JamesTran-MSFT 36,366 Reputation points Microsoft Employee

2023-06-01T18:25:02.2266667+00:00

@Azure Newbie

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Vikram Singh 0 Reputation points

2024-01-12T13:59:24.39+00:00

Hello James,
We are also getting the same error when deploying our landing zone.
From the solution above, I did not get where exactly to place publicNetworkAccess: 'Disabled' as it is not an acceptable property value. Also the formatting with extra commas seems different, though the version is exactly what I have. I am also a newbie so this is my first attempt at deploying bicep.

Thanks in advance

Vikram Singh 0 Reputation points

2024-01-15T11:40:34.0466667+00:00

I have found the it only works with the latest version of resource and not what is shown here.
Changed purview account to 2021-12-01 and it worked. Position of the property doesn't matter.
Sign in to comment

KeyVault in Azure bicep template

0 additional answers