Azure Policy for NSG Security Rules

Question

I have following policy rules:

"policyRule": {
"if": {
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 100
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 999
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 3501
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 4096
}
]
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}

The purpose of the policy is to prevent changes in NSG within certain priority range. However, I noticed that not only NSG are being affected by this policy. I saw that Microsoft.Network/networkIntentPolicies and Microsoft.Netwok/virtualNetwok is also being evaluated. Is there a way to fix this?

Answer 1

Hello anonymous user , If I understand correctly, your goal is to evaluate NSG resources and not /NetworkIntentPolicies or /vitualNetwork resources.

If yes, then my first suggestion is to verify the location where your Policy definition file is currently saved to.
The location determines the scope at which the Policy initiative or rules can be assigned.
Resources must be under the Policy definition's resource hierarchy for them to be targeted for assignment.

Are all your resources deployed under the same subscription or management group? If so, then that could be the reason why your deny rule applies to the other resources. To resolve, explore the option to create an exclusion-based assignment scope for the set of resources you wish to exclude from policy evaluation using the array property properties.notScopes. More information here.

Hope this helps but don't hesitate to ping if you have any follow-up questions.

Cheers.