Creating a policy for Vnet DNS setting in correct order

Kevin Pirko 0 Reputation points
2023-08-18T17:41:44.15+00:00

I am looking into making a policy that depending on the region it sets the vnet dns setting in a specific order to try the closer ones first. I found the policy in the link but it does not check the order of the server (https://stackoverflow.com/questions/56523274/azure-deployifnotexist-policy-evalutes-but-do-not-deploy-template-show-compliant). I was wondering if I can reference the specific server in the dhcp array like below?

"field" : "Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[1]",
							"value" : "1.1.1.1"
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,409 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
867 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Pirko, Kevin J 5 Reputation points
    2023-09-07T14:06:53.4333333+00:00

    Got it to work and I am posting for the next person that needs it.

    
        "parameters": {
          "listOfWestLocations": {
            "type": "Array",
            "metadata": {
              "displayName": "listOfWestLocations",
              "description": "Location that will have the West DNS Settings"
            },
            "defaultValue": [
              "westus",
              "westus1",
              "westus2",
              "westcentralus"
            ]
          },
          "listOfEastLocations": {
            "type": "Array",
            "metadata": {
              "displayName": "listOfEastLocations",
              "description": "Location that will have the West DNS Settings"
            },
            "defaultValue": [
              "eastus",
              "eastus1",
              "eastus3",
              "centralus",
              "northcentralus",
              "southcentralus"
            ]
          }
        },
        "policyRule": {
          "if": {
            "allof": [
              {
                "field": "type",
                "equals": "Microsoft.Network/virtualNetworks"
              },
              {
                "allof": [
                  {
                    "anyOf": [
                      {
                        "value": "8.8.8.8",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),1)]"
                      },
                      {
                        "value": "8.8.4.4",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),2)]"
                      },
                      {
                        "value": "76.76.2.0",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),3)]"
                      },
                      {
                        "field": "location",
                        "notIn": "[parameters('listOfWestLocations')]"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "value": "76.76.2.0",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),1)]"
                      },
                      {
                        "value": "8.8.4.4",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),2)]"
                      },
                      {
                        "value": "8.8.8.8",
                        "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),3)]"
                      },
                      {
                        "field": "location",
                        "notIn": "[parameters('listOfEastLocations')]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "then": {
            "effect": "audit"
          }
        }
      },
    
    
    1 person found this answer helpful.

  2. AnuragSingh-MSFT 21,361 Reputation points
    2023-08-21T09:34:09.0366667+00:00

    @Kevin Pirko , Thank you for posting this question.

    The Azure policy definition does not support array indexing. If you try to use indexing with Array type parameter/field, the following error is obtained for

    User's image

    Supported aliases are

    User's image

    Based on my understanding, you are trying to ensure a particular order of "IP Addresses" specified for custom DNS Servers on a VNET based on its location. This was an interesting scenario.

    User's image

    I tried it in my test subscription and found that a combination of field() and take() methods can help you determine the order. Take() returns an array with specified number of elements from the start of the array. Hence, we can use "notIn" condition of policy evaluation.

    Here is a sample policy which checks if the VNets have IPs in particular order:

    {
      "properties": {
        "displayName": "Custom - Order of DNS to be fixed",
        "policyType": "Custom",
        "mode": "Indexed",    
        "parameters": {},
        "policyRule": {
          "if": {
      "allof": [                 //<--updated 08/30
         {       
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks"
        },
        {
          "anyOf": [             //<-- anyOf to check if "any of" the condition is unmet, return true
            {
              "value": "8.8.8.8",
              "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),1)]"
            },
            {
              "value": "8.8.4.4",
              "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),2)]"
            },
            {
              "value": "76.76.2.0",
              "notIn": "[take(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'),3)]"
            }
          ]
        }
      ]
    },
          "then": {
            "effect": "audit"
          }
        }
      }
    

    This policy put all the VNETs in to non-compliant state except for the VNET which had the following configuration:

    User's image

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.