Azure Policy Deny Not Working

Dave DeBarr 1 Reputation point
2021-08-25T01:15:52.307+00:00

I created the policy listed below and assigned it to an Azure subscription without exemptions; but when someone tries to create a Virtual Machine (VM) that violates this policy, they are able to do so. It shows the new resource is non-compliant, but I was expecting it to prevent (deny) creation of the non-compliant resource.

What am I doing wrong?

{
  "properties": {
    "displayName": "Deny Open Access",
    "policyType": "Custom",
    "mode": "All",
    "description": "Denies resources where the applicable network security group rules allows inbound access from all Internet sources",
    "metadata": {
      "category": "Custom Security",
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
            "equals": "Allow"
          },
          {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
            "equals": "Inbound"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                "equals": "*"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                "equals": "Internet"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                "equals": "Any"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "type": "Microsoft.Authorization/policyDefinitions",
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
806 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,031 Reputation points
    2021-08-25T23:32:04.337+00:00

    @Dave DeBarr Welcome to Microsoft Q & A Community Forum. By design, Default security rules are automatically created when you create Network Security Group(NSG) and you cannot remove these default rules or deny creating them, but you can override them by creating rules with higher priorities.

    My suggestion would be to override the existing security rules with higher priorities. Here is an example of azure policy where it sets rule with higher priority.

    {  
      "properties": {  
        "displayName": "nsg-rule-101_1",  
        "policyType": "Custom",  
        "mode": "All",  
        "parameters": {  
          "allowedLocations": {  
            "type": "Array",  
            "metadata": {  
              "displayName": "Allowed locations",  
              "description": "The list of locations that can be specified when deploying resources.",  
              "strongType": "location"  
            }  
          },  
          "ruleNo": {  
            "type": "String",  
            "metadata": {  
              "displayName": "Priority",  
              "description": "The priority slot for the new rule"  
            },  
            "allowedValues": [  
              "100",  
              "101",  
              "102",  
              "103",  
              "104",  
              "105",  
              "106",  
              "107",  
              "108",  
              "109"  
            ]  
          },  
          "info": {  
            "type": "String",  
            "metadata": {  
              "displayName": "Description",  
              "description": "A description"  
            }  
          },  
          "destinationPortRanges": {  
            "type": "Array",  
            "metadata": {  
              "displayName": "Port Number",  
              "description": "Security rule port numbers must match these numbers"  
            }  
          },  
          "subscriptionExclusions": {  
            "type": "Array",  
            "metadata": {  
              "displayName": "Subscriptions Excluded",  
              "description": "Subscriptions excluded from policy due to security exceptions"  
            }  
          },  
          "protocol": {  
            "type": "String",  
            "metadata": {  
              "displayName": "protocol",  
              "description": "Protocol for the rule"  
            },  
            "allowedValues": [  
              "*",  
              "Tcp",  
              "Udp"  
            ]  
          },  
          "sourceType": {  
            "type": "String",  
            "metadata": {  
              "displayName": "sourceType",  
              "description": null  
            },  
            "allowedValues": [  
              "IP Addresses",  
              "Service Tag",  
              "App Security Group"  
            ]  
          },  
          "sourceValue": {  
            "type": "String",  
            "metadata": {  
              "displayName": "sourceValue",  
              "description": null  
            }  
          },  
          "actionValue": {  
            "type": "String",  
            "metadata": {  
              "displayName": "actionValue",  
              "description": null  
            },  
            "allowedValues": [  
              "Allow",  
              "Deny"  
            ]  
          },  
          "direction": {  
            "type": "String",  
            "metadata": {  
              "displayName": "direction",  
              "description": null  
            },  
            "allowedValues": [  
              "Inbound",  
              "Outbound"  
            ]  
          },  
          "tagname": {  
            "type": "String",  
            "metadata": {  
              "displayName": "Tag Name",  
              "description": "Rule is not deployed if this tag exists on the NSG"  
            },  
            "allowedValues": [  
              "NA",  
              "NRMSException",  
              "SkipNRMSCorp",  
              "nrmsskipcorpnetsaw",  
              "SkipNRMSSAW",  
              "SkipNRMSDatabricks",  
              "SkipNRMSRDPSSH",  
              "SkipNRMSMgmt",  
              "SkipNRMSHigh",  
              "SkipNRMSVNet",  
              "SkipNRMSLoadBal",  
              "SkipNRMSDB",  
              "SkipNRMSMedium"  
            ],  
            "defaultValue": "NA"  
          }  
        },  
        "policyRule": {  
          "if": {  
            "allOf": [  
              {  
                "field": "type",  
                "equals": "Microsoft.Network/networkSecurityGroups"  
              },  
              {  
                "field": "location",  
                "in": "[parameters('allowedLocations')]"  
              },  
              {  
                "field": "[concat('tags[', parameters('tagName'), ']')]",  
                "exists": "false"  
              },  
              {  
                "field": "tags['SkipNRMSAll']",  
                "exists": "false"  
              },  
              {  
                "value": "[subscription().subscriptionId]",  
                "notIn": "[parameters('subscriptionExclusions')]"  
              }  
            ]  
          },  
          "then": {  
            "effect": "deployIfNotExists",  
            "details": {  
              "type": "Microsoft.Network/networkSecurityGroups/securityRules",  
              "roleDefinitionIds": [  
                "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"  
              ],  
              "existenceCondition": {  
                "anyOf": [  
                  {  
                    "allOf": [  
                      {  
                        "field": "fullName",  
                        "equals": "[concat(field('name'),'/','NRMS-Rule-', parameters('ruleNo'))]"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",  
                        "equals": "[parameters('ruleno')]"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",  
                        "equals": "[parameters('sourceValue')]"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",  
                        "equals": "[parameters('actionValue')]"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",  
                        "equals": "[parameters('direction')]"  
                      }  
                    ]  
                  },  
                  {  
                    "allOf": [  
                      {  
                        "field": "fullName",  
                        "equals": "Deny-103"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",  
                        "equals": "103"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",  
                        "equals": "Any"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",  
                        "equals": "Deny"  
                      },  
                      {  
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",  
                        "equals": "Inbound"  
                      }  
                    ]  
                  }  
                ]  
              },  
              "deployment": {  
                "properties": {  
                  "mode": "incremental",  
                  "template": {  
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  
                    "contentVersion": "1.0.0.0",  
                    "parameters": {  
                      "fullName": {  
                        "type": "string"  
                      },  
                      "ruleNo": {  
                        "type": "String"  
                      },  
                      "destinationPortRanges": {  
                        "type": "Array"  
                      },  
                      "protocol": {  
                        "type": "String"  
                      },  
                      "sourceType": {  
                        "type": "String"  
                      },  
                      "sourceValue": {  
                        "type": "String"  
                      },  
                      "actionValue": {  
                        "type": "String"  
                      },  
                      "direction": {  
                        "type": "String"  
                      },  
                      "info": {  
                        "type": "String"  
                      }  
                    },  
                    "variables": {  
                      "SourceArr": "[split(parameters('sourceValue'),',')]",  
                      "appSecGroups": {  
                        "copy": [  
                          {  
                            "name": "values",  
                            "count": "[length(variables('SourceArr'))]",  
                            "input": {  
                              "id": "[if(equals(parameters('sourceType'),'App Security Group'),if(contains(variables('SourceArr')[copyindex('values')],'subscriptions'), variables('SourceArr')[copyindex('values')],resourceId('Microsoft.Network/applicationSecurityGroups', variables('SourceArr')[copyindex('values')])), '')]"  
                            }  
                          }  
                        ]  
                      }  
                    },  
                    "resources": [  
                      {  
                        "type": "Microsoft.Network/networkSecurityGroups/securityRules",  
                        "name": "[concat(parameters('fullName'),'/','NRMS-Rule-', parameters('ruleNo'))]",  
                        "apiVersion": "2017-10-01",  
                        "scale": null,  
                        "properties": {  
                          "protocol": "[parameters('protocol')]",  
                          "description": "[parameters('info')]",  
                          "sourcePortRange": "*",  
                          "sourceAddressPrefix": "[if(equals(parameters('sourceType'),'Service Tag'),parameters('sourceValue'),json('null'))]",  
                          "sourceAddressPrefixes": "[if(equals(parameters('sourceType'),'IP Addresses'),variables('SourceArr'),json('null'))]",  
                          "sourceApplicationSecurityGroups": "[if(equals(parameters('sourceType'),'App Security Group'),variables('appSecGroups').values,json('null'))]",  
                          "destinationPortRanges": "[if (equals(1,length(parameters('destinationPortRanges'))), json('null'), parameters('destinationPortRanges'))]",  
                          "destinationPortRange": "[if (equals(1,length(parameters('destinationPortRanges'))), parameters('destinationPortRanges')[0], json('null'))]",  
                          "destinationAddressPrefix": "*",  
                          "destinationApplicationSecurityGroups": [],  
                          "access": "[parameters('actionValue')]",  
                          "priority": "[parameters('ruleNo')]",  
                          "direction": "[parameters('direction')]"  
                        }  
                      }  
                    ]  
                  },  
                  "parameters": {  
                    "fullName": {  
                      "value": "[field('fullName')]"  
                    },  
                    "ruleNo": {  
                      "value": "[parameters('ruleNo')]"  
                    },  
                    "destinationPortRanges": {  
                      "value": "[parameters('destinationPortRanges')]"  
                    },  
                    "protocol": {  
                      "value": "[parameters('protocol')]"  
                    },  
                    "sourceType": {  
                      "value": "[parameters('sourceType')]"  
                    },  
                    "sourceValue": {  
                      "value": "[parameters('sourceValue')]"  
                    },  
                    "actionValue": {  
                      "value": "[parameters('actionValue')]"  
                    },  
                    "direction": {  
                      "value": "[parameters('direction')]"  
                    },  
                    "info": {  
                      "value": "[parameters('info')]"  
                    }  
                  }  
                }  
              }  
            }  
          }  
        }  
      }  
    }