Azure policy to audit publicly accessible web applications within subscription

AzDev 41 Reputation points
2020-12-17T10:06:37.927+00:00

Hi All, I am implementing an Azure policy to audit all publicly accessible web apps within my subscription. I don't think there is any built-in policy for this requirement; so I came up with below policy to check if ipSecurityRestrications exists or not for web apps but it doesn't seem working correctly. Also there could be multiple ways to restrict web apps access e.g. using vnet integration, front door, private endpoint etc.

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Web/sites"
                },
                {
                    "field": "Microsoft.Web/sites/siteConfig.ipSecurityRestrictions",
                    "exists": "false"
                },
                {
                    "field": "kind",
                    "equals": "app"
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
}

Could you please suggest best approach to implement Azure policy for this requirement?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
798 questions
Accepted answer
  1. SwathiDhanwada-MSFT 17,801 Reputation points
    2020-12-21T18:47:24.337+00:00

    @AzDev Welcome to Microsoft Q & A Community Forum. Here is an sample of Azure policy definition which audits app service ipsecurityRestrictions. Kindly check if it helps you. 

    {  
"mode": "All",  
"parameters": {  
      "effect": {  
        "type": "String",  
        "metadata": {  
          "displayName": "Effect",  
          "description": "Enable or disable the execution of the policy"  
        },  
        "allowedValues": [  
          "AuditIfNotExists",  
          "Disabled"  
        ],  
        "defaultValue": "AuditIfNotExists"  
      }  
    },  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Web/sites"  
          },  
          {  
            "field": "kind",  
            "like": "app*"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Web/sites/config",  
          "name": "web",  
          "existenceCondition": {  
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",  
            "in": [  
              "0.0.0.0/32",  
              "Any"  
            ]  
          }  
        }  
      }  
    }  
	  
	}

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest