Share via

Azure policy to restrict virtual machine must add securitygroup

Chen jun Gao (BeyondSoft consulting) 21 Reputation points
2022-05-19T04:43:18.863+00:00

according to https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=bicep
the template shows the [networkSecurityGroup] under [networkProfile], and many other properties
but actually in a VM's Resource JSON it only has the attr [networkInterfaces] "even if securitygroup is added", I need to make this limit by attr [networkSecurityGroup], is it possible?
203592-image.png

this is my azure policy, it can work but it will always deny because it can't find networkSecurityGroup
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaceConfigurations[*].networkSecurityGroup.id",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,816 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
868 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen jun Gao (BeyondSoft consulting) 21 Reputation points
    2022-05-20T07:15:28.51+00:00

    I solve the problem by change the field from Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id to Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id
    this can work when create a virtual machine

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.