Hi,
I am looking to enforce a default 0.0.0.0/0 route to hit a specific proxy for generic traffic. I have been able to make sure that this default route table gets created with policies similar to the below, but I cannot seem to do anything about people deleting it?
{
"policyType": "Custom",
"mode": "All",
"displayName": "create_default_route",
"description": "Create a route table entry for 0.0.0.0",
"policyRule": {
"if": {
"count": {
"field": "Microsoft.Network/routeTables/routes[]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[].nextHopIpAddress",
"equals": "[parameters('DefaultGW')]"
},
{
"field": "Microsoft.Network/routeTables/routes[].addressPrefix",
"equals": "0.0.0.0/0"
}
]
}
},
"notEquals": 1
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXXXXXX"
],
"conflictEffect": "deny",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Network/routeTables/routes[]",
"value": {
"name": "DEFAULT",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('DefaultGW')]",
"hasBgpOverride": false
}
}
}
]
}
}
},
"parameters": {
"DefaultGW": {
"type": "String",
"defaultValue": "1.2.3.4",
"metadata": {
"displayName": "Default Gateway IP",
"description": "A route table will be created by default for 0.0.0.0/0 to this IP."
}
}
},
"id": "/subscriptions/XXXXXXXXXXXX/providers/Microsoft.Authorization/policyDefinitions/XXXXXXXXXXXXXX",
"name": "XXXXXXXXXXXXXXXXX",
"type": "Microsoft.Authorization/policyDefinitions"
}