Disable app service integration to existing VNET

Question

Hello,

We have a gov cloud where one of our policies is to prevent any public IP address from being created, we also have a policy which restricts creation of any new VNETs or subnets within the existing VNETs. However, I am trying to add a policy which prevents our customers who have access to the Subscription we created from being able to integrate any bots of the type App Service or App Service plans which can be accessible by public end points on Azure to our existing VNETs. This policy essentially restricts them from being able to integrate their app service resources to our existing VNETs, even if their app services enable public access.

Please point me out in the right direction regarding how I could enable this.

Answer 1

Hello @Bob Doyle

You can create custom policy that will prevent App Service Apps to be injected into a virtual network.

• Find an existing policy "App Service Apps should be injected into a virtual network"
  
• Duplicate it
  
• And modify condition, to prevent App Service Apps to be injected into a virtual network {
  "mode": "Indexed",
  "policyRule": {
  "if": {
  "allOf": [
  {
  "field": "type",
  "equals": "Microsoft.Web/sites"
  },
  {
  "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
  "notEquals": ""
  }
  ]
  },
  "then": {
  "effect": "[parameters('effect')]"
  }
  },
  "parameters": {
  "effect": {
  "type": "String",
  "metadata": {
  "displayName": "Effect",
  "description": "Enable or disable the execution of the policy"
  },
  "allowedValues": [
  "Audit",
  "Deny",
  "Disabled"
  ],
  "defaultValue": "Audit"
  }
  }
  }

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure