Create VM issue with Not allowed resource types - virtualNetwork

Question

If I apply a new Azure policy to the management group which has been associate to the subscription.
There is a configuration for "Not allowed resource types" with virtualNetwork.

Could I create the new VM to existing VNet? Because we have to associate the new created VM into a new VNet or existing VNet.
I don't know the effect for the creation of virtual machine if we apply the policy to block the virtual network.

Answer 1

@Walker Chong Kindly note that "Not allowed resource types" built-in policy enables you to specify the resource types that your organization cannot deploy. When creating or updating a matched resource in a Resource Manager mode, deny prevents the request before being sent to the Resource Provider. The request is returned as a 403 (Forbidden). In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy assignment. For a Resource Provider mode, the resource provider manages the evaluation of the resource.

During evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant.

For your requirement, you will be able to create new virtual machine with existing virtual network.However, you will be able to create a new virtual network within the scope mentioned in the Azure Policy.