Policy to restrict port 22 is not working as expected

Heena Afroz 0 Reputation points
2023-06-21T18:53:32.2866667+00:00

Have written the below custom policy to restrict port 22 but not working as expected. Need assistance in creating policies for Port, IP and Domain restrictions

{

'properties':

{ 'displayName': 'Block inbound traffic on port 22',

'description': 'This policy blocks inbound traffic on port 22 (SSH)',

'mode': 'All',

'policyRule':

{ 'if':
{ 'allOf':

[ { 'field': 'type', 'equals': 'Microsoft.Network/networkSecurityGroups' },
{ 'field': 'Microsoft.Network/networkSecurityGroups/securityRules/*/destinationPortRange', 'equals': '22' }
] },
'then':
{ 'effect': 'deny' }
} } }

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,024 questions
{count} votes

2 answers

Sort by: Most helpful
  1. B santhiswaroop naik 405 Reputation points
    2023-06-21T19:09:02.95+00:00

    The custom policy you provided aims to block inbound traffic on port 22 (SSH) using Azure Policy. However, there are a few issues with the policy definition you provided. Here's the corrected version of the policy:

    {
      "properties": {
        "displayName": "Block inbound traffic on port 22",
        "description": "This policy blocks inbound traffic on port 22 (SSH)",
        "mode": "All",
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/networkSecurityGroups"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/*/destinationPortRanges",
                "equals": ["22"]
              }
            ]
          },
          "then": {
            "effect": "deny"
          }
        }
      }
    }
    
    
    

    Changes made:

    • In the if condition, the property path should be Microsoft.Network/networkSecurityGroups/securityRules/*/destinationPortRanges (with an 's' at the end of destinationPortRanges) to match the array of port ranges.
    • The "equals" value for destinationPortRanges should be an array of strings, so it should be enclosed in square brackets: "equals": ["22"].

    With this updated policy definition, it should correctly block inbound traffic on port 22 for the specified network security groups when assigned to the appropriate Azure resources.

    Please note that Azure Policy helps enforce organizational standards and compliance, but it may take some time for the policy to be applied and take effect. Additionally, make sure you assign the policy to the correct scope (e.g., resource group, subscription) and verify that the necessary permissions are in place for policy assignment and enforcement.


  2. Heena Afroz 0 Reputation points
    2023-06-22T17:09:41.6466667+00:00

    Hi @B santhiswaroop naik ,

    Thank you for pitching in. I have used this code earlier referring Microsoft documents but it's failing with the below Errors.

    1. Failed to parse policy rule: 'Error reading string. Unexpected token: StartArray. Path 'equals'.'. (Which I assume the Array is throwing an Error ["22"]).
    2. And When I try to remove the Array braces, it gives me an other Error as : "The policy definition '8827b507-5637-4c11-ba50-fc92f56ab3c5' rule is invalid. The resource type 'networkSecurityGroups/securityRules/' referenced by the 'field' property 'Microsoft.Network/networkSecurityGroups/securityRules//destinationPortRanges' of the policy rule doesn't exist under provider 'Microsoft.Network'."
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.