Azure policy to audit publicly accessible web applications within subscription

AzDev 41 Reputation points
2020-12-17T10:06:37.927+00:00

Hi All, I am implementing an Azure policy to audit all publicly accessible web apps within my subscription. I don't think there is any built-in policy for this requirement; so I came up with below policy to check if ipSecurityRestrications exists or not for web apps but it doesn't seem working correctly. Also there could be multiple ways to restrict web apps access e.g. using vnet integration, front door, private endpoint etc.

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Web/sites"
                },
                {
                    "field": "Microsoft.Web/sites/siteConfig.ipSecurityRestrictions",
                    "exists": "false"
                },
                {
                    "field": "kind",
                    "equals": "app"
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
}

Could you please suggest best approach to implement Azure policy for this requirement?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
817 questions
{count} votes

Accepted answer
  1. SwathiDhanwada-MSFT 18,211 Reputation points
    2020-12-21T18:47:24.337+00:00

    @AzDev Welcome to Microsoft Q & A Community Forum. Here is an sample of Azure policy definition which audits app service ipsecurityRestrictions. Kindly check if it helps you.

    {  
    "mode": "All",  
    "parameters": {  
          "effect": {  
            "type": "String",  
            "metadata": {  
              "displayName": "Effect",  
              "description": "Enable or disable the execution of the policy"  
            },  
            "allowedValues": [  
              "AuditIfNotExists",  
              "Disabled"  
            ],  
            "defaultValue": "AuditIfNotExists"  
          }  
        },  
        "policyRule": {  
          "if": {  
            "allOf": [  
              {  
                "field": "type",  
                "equals": "Microsoft.Web/sites"  
              },  
              {  
                "field": "kind",  
                "like": "app*"  
              }  
            ]  
          },  
          "then": {  
            "effect": "[parameters('effect')]",  
            "details": {  
              "type": "Microsoft.Web/sites/config",  
              "name": "web",  
              "existenceCondition": {  
                "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",  
                "in": [  
                  "0.0.0.0/32",  
                  "Any"  
                ]  
              }  
            }  
          }  
        }  
    	  
    	}  
       
    

0 additional answers

Sort by: Most helpful