Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
836 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I am trying to apply the below policy in deny mode but deny does not work. In audit mode it audits as expected, and when set to deny it still audits correctly, but it does not prevent me from adding rules that do not contain the list of IP addresses. These are test IPs currently. I want to provide a list of IPs that users can add to NSGs but deny any that are not listed. I have tried using "sourceAddressPrefixes" but this does not work either.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notIn": [
"10.10.10.1",
"10.23.10.1",
"10.25.10.1"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}