Creating VM with out denying public IP policy

Question

Creating VM with out denying public IP policy

Varma 1,495

While running packer build, we are ending up following error ,"policyExemptionIds":[]},"type":"PolicyViolation"}],"code":"RequestDisallowedByPolicy","message":"Resource 'pkrnihhqzm20za7' was disallowed by policy. Reasons: 'this is not a permissions error. you are trying to create a VM with an public IP this is denied by policy, if it is something you need please reach out to techops'. See error details for policy resource 'pkrvmhhqzm20za7' was disallowed by policy. Policy identifiers: but we want to proceed further and make VM to be created even public IP set to none how it is possible?

Accepted answer

1 additional answer

Your answer

Answer 1

Martin Therkelsen 1,410 MVP

Hi Varma, You have two options here. Either you exempt your packer resource group from the deny public IP policy or use an existing vNet and execute the packer build from a VM in this vNet.

If you want to exempt the resource group you can read the post by Emily here: https://www.seb8iaan.com/create-an-exemption-rule-to-exclude-a-resource-from-a-security-recommendation/

The packer JSON can use these lines to use an existing vNet.

	"virtual_network_name": "packerpoc",
	"virtual_network_resource_group_name" : "packerpoc",
	"virtual_network_subnet_name" : "packerpoc",

Varma 1,495 Reputation points

2024-02-10T00:11:20.1366667+00:00

Hi Martin, Thank you follow up question regarding 2nd option: what if existing vnet also has associated rule with deny public ip rule? and are we talking about existing resource group or resource group which is being created in the backend by packer ?
Martin Therkelsen 1,410 Reputation points MVP

2024-02-10T09:33:15.9866667+00:00

The idea behind the vNet is that you no longer get a public IP address. The VM you will be running packer from will be on the same network and using the internal IP instead of a public IP to run the packer provisioners.
Varma 1,495 Reputation points

2024-02-10T10:24:46.27+00:00

testt
Varma 1,495 Reputation points

2024-02-10T10:29:28.2266667+00:00

Hi Martin, 1. So whatever VM creates in the backend during the packer build operation, that VM will get created in the Vnet which we provide in the below proviosners section, am I correct?

2. so just quick question, so I just need to add vnet details in the above provisoner block, am I correct?

Martin Therkelsen 1,410 MVP

Any VM created with the packer code will be created in the vNet you specify.

They are part of the build section, not part of the provisioners.

{
    "builders": [
        {
            "type": "azure-arm",
            "client_id": "",
            "client_secret": "",
            "tenant_id": "",
            "subscription_id": "",
            "shared_image_gallery": {
                "subscription": "",
                "resource_group": "rg-avd-images",
                "gallery_name": "gal_avd",
                "image_name": "avd_w11",
                "image_version": "1.0.0"
            },
            "shared_image_gallery_destination": {
                "subscription": "",
                "resource_group": "rg-avd-images",
                "gallery_name": "gal_avd",
                "image_name": "avd_w11_new",
                "image_version": "1.0.0",
                "replication_regions": ["WestEurope"],
                "storage_account_type": "Standard_LRS"
            },
            "build_resource_group_name": "myPackerGroup",
            "virtual_network_name": "packerpoc",
	        "virtual_network_resource_group_name" : "packerpoc",
	        "virtual_network_subnet_name" : "packerpoc",
            "os_type": "Windows",
            "vm_size": "Standard_D4s_v5",
            "winrm_insecure": true,
            "winrm_timeout": "5m",
            "winrm_use_ssl": true,
            "winrm_username": "packer",
            "communicator": "winrm"
        }
    ]    
}

Answer 2

Sam Cogan 10,812 Microsoft Employee Volunteer Moderator

You need to amend your Packer build scripts to create a VM without a public IP; however, to do this, the machine you are running Packer on will need to be on the same vNet as the VM so that it can talk to it with a private IP. If you just remove the public IP without doing that, packer will fail because it cannot connect to the VM.

Varma 1,495 Reputation points

2024-02-09T09:06:51.5133333+00:00

HI Sam, You mean resource group we use for packer build and image process, whatever vnet resource group is using that vnet has to be on same vnet? so by defining whatever vnet resource group is using same we have to provide it in the packer build configiaiton file?
Varma 1,495 Reputation points

2024-02-09T09:07:00.5633333+00:00

test123
Sam Cogan 10,812 Reputation points Microsoft Employee Volunteer Moderator

2024-02-12T08:44:11.78+00:00

This has nothing to do with resource groups. The machine you are running the packer command on needs to be on the same virtual network as the machine packer is creating so that it can connect to it without a public IP.

Share via

Creating VM with out denying public IP policy

1 additional answer

Your answer