The custom policy you provided aims to block inbound traffic on port 22 (SSH) using Azure Policy. However, there are a few issues with the policy definition you provided. Here's the corrected version of the policy:
{
"properties": {
"displayName": "Block inbound traffic on port 22",
"description": "This policy blocks inbound traffic on port 22 (SSH)",
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/*/destinationPortRanges",
"equals": ["22"]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
Changes made:
- In the
if
condition, the property path should beMicrosoft.Network/networkSecurityGroups/securityRules/*/destinationPortRanges
(with an 's' at the end ofdestinationPortRanges
) to match the array of port ranges. - The
"equals"
value fordestinationPortRanges
should be an array of strings, so it should be enclosed in square brackets:"equals": ["22"]
.
With this updated policy definition, it should correctly block inbound traffic on port 22 for the specified network security groups when assigned to the appropriate Azure resources.
Please note that Azure Policy helps enforce organizational standards and compliance, but it may take some time for the policy to be applied and take effect. Additionally, make sure you assign the policy to the correct scope (e.g., resource group, subscription) and verify that the necessary permissions are in place for policy assignment and enforcement.