![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 78%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
836 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Dave DeBarr Welcome to Microsoft Q & A Community Forum. By design, Default security rules are automatically created when you create Network Security Group(NSG) and you cannot remove these default rules or deny creating them, but you can override them by creating rules with higher priorities.
My suggestion would be to override the existing security rules with higher priorities. Here is an example of azure policy where it sets rule with higher priority.
{
"properties": {
"displayName": "nsg-rule-101_1",
"policyType": "Custom",
"mode": "All",
"parameters": {
"allowedLocations": {
"type": "Array",
"metadata": {
"displayName": "Allowed locations",
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location"
}
},
"ruleNo": {
"type": "String",
"metadata": {
"displayName": "Priority",
"description": "The priority slot for the new rule"
},
"allowedValues": [
"100",
"101",
"102",
"103",
"104",
"105",
"106",
"107",
"108",
"109"
]
},
"info": {
"type": "String",
"metadata": {
"displayName": "Description",
"description": "A description"
}
},
"destinationPortRanges": {
"type": "Array",
"metadata": {
"displayName": "Port Number",
"description": "Security rule port numbers must match these numbers"
}
},
"subscriptionExclusions": {
"type": "Array",
"metadata": {
"displayName": "Subscriptions Excluded",
"description": "Subscriptions excluded from policy due to security exceptions"
}
},
"protocol": {
"type": "String",
"metadata": {
"displayName": "protocol",
"description": "Protocol for the rule"
},
"allowedValues": [
"*",
"Tcp",
"Udp"
]
},
"sourceType": {
"type": "String",
"metadata": {
"displayName": "sourceType",
"description": null
},
"allowedValues": [
"IP Addresses",
"Service Tag",
"App Security Group"
]
},
"sourceValue": {
"type": "String",
"metadata": {
"displayName": "sourceValue",
"description": null
}
},
"actionValue": {
"type": "String",
"metadata": {
"displayName": "actionValue",
"description": null
},
"allowedValues": [
"Allow",
"Deny"
]
},
"direction": {
"type": "String",
"metadata": {
"displayName": "direction",
"description": null
},
"allowedValues": [
"Inbound",
"Outbound"
]
},
"tagname": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Rule is not deployed if this tag exists on the NSG"
},
"allowedValues": [
"NA",
"NRMSException",
"SkipNRMSCorp",
"nrmsskipcorpnetsaw",
"SkipNRMSSAW",
"SkipNRMSDatabricks",
"SkipNRMSRDPSSH",
"SkipNRMSMgmt",
"SkipNRMSHigh",
"SkipNRMSVNet",
"SkipNRMSLoadBal",
"SkipNRMSDB",
"SkipNRMSMedium"
],
"defaultValue": "NA"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "location",
"in": "[parameters('allowedLocations')]"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"field": "tags['SkipNRMSAll']",
"exists": "false"
},
{
"value": "[subscription().subscriptionId]",
"notIn": "[parameters('subscriptionExclusions')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"anyOf": [
{
"allOf": [
{
"field": "fullName",
"equals": "[concat(field('name'),'/','NRMS-Rule-', parameters('ruleNo'))]"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"equals": "[parameters('ruleno')]"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "[parameters('sourceValue')]"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "[parameters('actionValue')]"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "[parameters('direction')]"
}
]
},
{
"allOf": [
{
"field": "fullName",
"equals": "Deny-103"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"equals": "103"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Any"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Deny"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
}
]
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"fullName": {
"type": "string"
},
"ruleNo": {
"type": "String"
},
"destinationPortRanges": {
"type": "Array"
},
"protocol": {
"type": "String"
},
"sourceType": {
"type": "String"
},
"sourceValue": {
"type": "String"
},
"actionValue": {
"type": "String"
},
"direction": {
"type": "String"
},
"info": {
"type": "String"
}
},
"variables": {
"SourceArr": "[split(parameters('sourceValue'),',')]",
"appSecGroups": {
"copy": [
{
"name": "values",
"count": "[length(variables('SourceArr'))]",
"input": {
"id": "[if(equals(parameters('sourceType'),'App Security Group'),if(contains(variables('SourceArr')[copyindex('values')],'subscriptions'), variables('SourceArr')[copyindex('values')],resourceId('Microsoft.Network/applicationSecurityGroups', variables('SourceArr')[copyindex('values')])), '')]"
}
}
]
}
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"name": "[concat(parameters('fullName'),'/','NRMS-Rule-', parameters('ruleNo'))]",
"apiVersion": "2017-10-01",
"scale": null,
"properties": {
"protocol": "[parameters('protocol')]",
"description": "[parameters('info')]",
"sourcePortRange": "*",
"sourceAddressPrefix": "[if(equals(parameters('sourceType'),'Service Tag'),parameters('sourceValue'),json('null'))]",
"sourceAddressPrefixes": "[if(equals(parameters('sourceType'),'IP Addresses'),variables('SourceArr'),json('null'))]",
"sourceApplicationSecurityGroups": "[if(equals(parameters('sourceType'),'App Security Group'),variables('appSecGroups').values,json('null'))]",
"destinationPortRanges": "[if (equals(1,length(parameters('destinationPortRanges'))), json('null'), parameters('destinationPortRanges'))]",
"destinationPortRange": "[if (equals(1,length(parameters('destinationPortRanges'))), parameters('destinationPortRanges')[0], json('null'))]",
"destinationAddressPrefix": "*",
"destinationApplicationSecurityGroups": [],
"access": "[parameters('actionValue')]",
"priority": "[parameters('ruleNo')]",
"direction": "[parameters('direction')]"
}
}
]
},
"parameters": {
"fullName": {
"value": "[field('fullName')]"
},
"ruleNo": {
"value": "[parameters('ruleNo')]"
},
"destinationPortRanges": {
"value": "[parameters('destinationPortRanges')]"
},
"protocol": {
"value": "[parameters('protocol')]"
},
"sourceType": {
"value": "[parameters('sourceType')]"
},
"sourceValue": {
"value": "[parameters('sourceValue')]"
},
"actionValue": {
"value": "[parameters('actionValue')]"
},
"direction": {
"value": "[parameters('direction')]"
},
"info": {
"value": "[parameters('info')]"
}
}
}
}
}
}
}
}
}