Enforce route table 0.0.0.0/0 proxy route

Tom White 1 Reputation point
2022-04-14T22:59:07.277+00:00

Hi,

I am looking to enforce a default 0.0.0.0/0 route to hit a specific proxy for generic traffic. I have been able to make sure that this default route table gets created with policies similar to the below, but I cannot seem to do anything about people deleting it?

{
"policyType": "Custom",
"mode": "All",
"displayName": "create_default_route",
"description": "Create a route table entry for 0.0.0.0",
"policyRule": {
"if": {
"count": {
"field": "Microsoft.Network/routeTables/routes[]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[].nextHopIpAddress",
"equals": "[parameters('DefaultGW')]"
},
{
"field": "Microsoft.Network/routeTables/routes[].addressPrefix",
"equals": "0.0.0.0/0"
}
]
}
},
"notEquals": 1
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXXXXXX"
],
"conflictEffect": "deny",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Network/routeTables/routes[]",
"value": {
"name": "DEFAULT",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('DefaultGW')]",
"hasBgpOverride": false
}
}
}
]
}
}
},
"parameters": {
"DefaultGW": {
"type": "String",
"defaultValue": "1.2.3.4",
"metadata": {
"displayName": "Default Gateway IP",
"description": "A route table will be created by default for 0.0.0.0/0 to this IP."
}
}
},
"id": "/subscriptions/XXXXXXXXXXXX/providers/Microsoft.Authorization/policyDefinitions/XXXXXXXXXXXXXX",
"name": "XXXXXXXXXXXXXXXXX",
"type": "Microsoft.Authorization/policyDefinitions"
}

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 17,641 Reputation points
    2022-05-11T18:58:53.15+00:00

    @Tom White Apologies for late response. Currently, Azure Policy evaluates as follows

    • Greenfield (New or Updated Resources): Is run on a PUT or PATCH call to ARM
    • Brownfield (existing resources): Only evaluated for compliance

    DELETE Rest API isn't evaluated by policy as of now. In your scenario, you can't restrict the deletion of route tables using azure policy. However, when the policy evaluation is done, the rule will be automatically added to the route table.

    There is an open feedback item for the same. I would recommend you navigate here and share your feedback or suggestions directly with the responsible Azure feature team and clicking the vote button of your suggestion to raise visibility and priority on it.