question

ChenjunGaoBeyondSoftconsulting-4473 avatar image
0 Votes"
ChenjunGaoBeyondSoftconsulting-4473 asked vipullag-MSFT edited

Azure policy to restrict virtual machine must add securitygroup

according to https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=bicep
the template shows the [networkSecurityGroup] under [networkProfile], and many other properties
but actually in a VM's Resource JSON it only has the attr [networkInterfaces] "even if securitygroup is added", I need to make this limit by attr [networkSecurityGroup], is it possible?
203592-image.png



this is my azure policy, it can work but it will always deny because it can't find networkSecurityGroup
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaceConfigurations[*].networkSecurityGroup.id",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}

azure-virtual-machinesazure-policy
image.png (7.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ChenjunGaoBeyondSoftconsulting-4473 avatar image
0 Votes"
ChenjunGaoBeyondSoftconsulting-4473 answered vipullag-MSFT commented

I solve the problem by change the field from Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id to Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id
this can work when create a virtual machine

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChenjunGaoBeyondSoftconsulting-4473

Thanks for sharing the issue resolution here for the benefit of community.

0 Votes 0 ·