Policy evaluation problems

Question

Policy evaluation problems

Frank 1

A policy based on the below rule is evaluated/triggered when adding a service endpoint from settings/service endpoints. It does not seem to be evaluated/triggered when adding a service endpoint from settings/subnets/<subnet>. Is this correct or a bug?

"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"count": {
"field": "Microsoft.Network/virtualNetworks/subnets[].serviceEndpoints[]"
},
"greaterOrEquals": 1
}
]
}

SwathiDhanwada-MSFT 19,088 Reputation points Moderator

2022-01-03T09:54:46.443+00:00
@Frank Welcome to Microsoft Q & A Community Forum. The information is bit vague to answer your question. Can you please share below information.

Are you trying to audit the virtual networks which has more than one service Endpoint?

Are you trying to deny creation of more service endpoint for virtual network ?

Kindly share about the requirement in detail.

References of Azure Policy:

https://learn.microsoft.com/en-us/azure/governance/policy/overview

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects
Frank 1 Reputation point

2022-01-04T09:20:13.56+00:00

@SwathiDhanwada-MSFT Thank you for your reply.

I'm trying to deny all service end points.

The above policy does deny the creation of service endpoints when service endpoints are being added from virtual network/settings/service endpoints.
Also the policy denies the creation of service endpoints when they are being created from other resources. Eg when one adds a virtual network/subnet to the allowed networks of the firewall of a storage account.

The above policy does not deny the creation of service endpoints when service endpoints are being added from virtual network/settings/subnets. One can add a new subnet with a service endpoint or add a service endpoint to an existing subnet without a problem.

1 answer

Your answer

SwathiDhanwada-MSFT 19,088 Reputation points Moderator

2022-01-03T09:54:46.443+00:00

@Frank Welcome to Microsoft Q & A Community Forum. The information is bit vague to answer your question. Can you please share below information.

Are you trying to audit the virtual networks which has more than one service Endpoint?

Are you trying to deny creation of more service endpoint for virtual network ?

Kindly share about the requirement in detail.

References of Azure Policy:

https://learn.microsoft.com/en-us/azure/governance/policy/overview

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects
Frank 1 Reputation point

2022-01-04T09:20:13.56+00:00

@SwathiDhanwada-MSFT Thank you for your reply.

I'm trying to deny all service end points.

The above policy does deny the creation of service endpoints when service endpoints are being added from virtual network/settings/service endpoints.
Also the policy denies the creation of service endpoints when they are being created from other resources. Eg when one adds a virtual network/subnet to the allowed networks of the firewall of a storage account.

The above policy does not deny the creation of service endpoints when service endpoints are being added from virtual network/settings/subnets. One can add a new subnet with a service endpoint or add a service endpoint to an existing subnet without a problem.

Answer 1

SwathiDhanwada-MSFT 19,088 Moderator

@Frank The policy you have provided wouldn't work as "Microsoft.Network/virtualNetworks/subnets[].serviceEndpoints[]" alias isn't supported. To check the list of aliases that are supported for subnets, you can check using below command.

(Get-AzPolicyAlias -Namespace "Microsoft.NetworK" -ResourceType "virtualNetworks/subNets").Aliases.Name

You can request new alias by raising a request here : https://github.com/Azure/azure-policy/issues

Frank 1 Reputation point

2022-01-13T10:55:02.873+00:00

@SwathiDhanwada-MSFT

Thank you for your response.

Using Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*] denies deployment when creating service endpoints from virtual network/subnets

It does not deny deployment when creating service endpoints from virtual network/settings/service endpoints and when they are being created from other resources.

So one would need both

Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[]
and
Microsoft.Network/virtualNetworks/subnets[].serviceEndpoints[*]

An alias will fix this so that Microsoft.Network/virtualNetworks/subnets[].serviceEndpoints[] always works?
SwathiDhanwada-MSFT 19,088 Reputation points Moderator

2022-01-17T13:03:05.387+00:00

@Frank Yes, Aliases in resource policies enable you to restrict what values or conditions are permitted for a property on a resource.
Frank 1 Reputation point

2022-01-20T16:02:58.3+00:00

@SwathiDhanwada-MSFT

Thank you for your reply.

I've requested the alias.
Frank 1 Reputation point

2022-02-14T11:53:46.69+00:00

@SwathiDhanwada-MSFT

The aliases have been created.
Unfortunately the policy definition in my initial question still allows the creation of service endpoints when being created from virtualnetwork/subnets.
What am I doing wrong?
SwathiDhanwada-MSFT 19,088 Reputation points Moderator

2022-02-25T01:11:40.077+00:00

@Frank I recommend engaging our technical support team to investigate further. Please file a support case using these steps.

Share via

Policy evaluation problems

1 answer

Your answer