Policy Auditing but not Denying

Shane walford 6 Reputation points
2022-04-03T10:49:59.657+00:00

Hi,

I am trying to apply the below policy in deny mode but deny does not work. In audit mode it audits as expected, and when set to deny it still audits correctly, but it does not prevent me from adding rules that do not contain the list of IP addresses. These are test IPs currently. I want to provide a list of IPs that users can add to NSGs but deny any that are not listed. I have tried using "sourceAddressPrefixes" but this does not work either.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups"
        },
        {
          "count": {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
            "where": {
              "allOf": [
                {
                  "anyof": [
                    {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                      "notIn": [
                        "10.10.10.1",
                        "10.23.10.1",
                        "10.25.10.1"
                      ]
                    }
                  ]
                }
              ]
            }
          },
          "greater": 0
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
812 questions
{count} votes