Disable app service integration to existing VNET

asked 2021-11-15T18:54:22.907+00:00
Bob Doyle 21 Reputation points


We have a gov cloud where one of our policies is to prevent any public IP address from being created, we also have a policy which restricts creation of any new VNETs or subnets within the existing VNETs. However, I am trying to add a policy which prevents our customers who have access to the Subscription we created from being able to integrate any bots of the type App Service or App Service plans which can be accessible by public end points on Azure to our existing VNETs. This policy essentially restricts them from being able to integrate their app service resources to our existing VNETs, even if their app services enable public access.

Please point me out in the right direction regarding how I could enable this.

Azure Web Apps
Azure Web Apps
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,306 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
506 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-11-18T06:28:19.927+00:00
    Andriy Bilous 7,871 Reputation points

    Hello @Bob Doyle

    You can create custom policy that will prevent App Service Apps to be injected into a virtual network.

    • Find an existing policy "App Service Apps should be injected into a virtual network"
    • Duplicate it
    • And modify condition, to prevent App Service Apps to be injected into a virtual network {
      "mode": "Indexed",
      "policyRule": {
      "if": {
      "allOf": [
      "field": "type",
      "equals": "Microsoft.Web/sites"
      "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
      "notEquals": ""
      "then": {
      "effect": "[parameters('effect')]"
      "parameters": {
      "effect": {
      "type": "String",
      "metadata": {
      "displayName": "Effect",
      "description": "Enable or disable the execution of the policy"
      "allowedValues": [
      "defaultValue": "Audit"


    No comments

0 additional answers

Sort by: Most helpful