Azure Policy for NSG Security Rules

Yasmin, Fitri 246 Reputation points
2021-05-05T18:39:30.363+00:00

I have following policy rules:

"policyRule": {
"if": {
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 100
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 999
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 3501
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 4096
}
]
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}

The purpose of the policy is to prevent changes in NSG within certain priority range. However, I noticed that not only NSG are being affected by this policy. I saw that Microsoft.Network/networkIntentPolicies and Microsoft.Netwok/virtualNetwok is also being evaluated. Is there a way to fix this?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
758 questions
0 comments No comments
{count} votes

Accepted answer
  1. olufemia-MSFT 2,861 Reputation points
    2021-05-06T23:55:30.077+00:00

    Hello anonymous user , If I understand correctly, your goal is to evaluate NSG resources and not /NetworkIntentPolicies or /vitualNetwork resources.

    If yes, then my first suggestion is to verify the location where your Policy definition file is currently saved to.
    The location determines the scope at which the Policy initiative or rules can be assigned.
    Resources must be under the Policy definition's resource hierarchy for them to be targeted for assignment.

    Are all your resources deployed under the same subscription or management group? If so, then that could be the reason why your deny rule applies to the other resources. To resolve, explore the option to create an exclusion-based assignment scope for the set of resources you wish to exclude from policy evaluation using the array property properties.notScopes. More information here.

    Hope this helps but don't hesitate to ping if you have any follow-up questions.

    94559-assignmentscope.png

    Cheers.


0 additional answers

Sort by: Most helpful