Azure Policy built-in definitions for Azure networking services
This page is an index of Azure Policy built-in policy definitions for Azure networking services. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure networking services
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
[Preview]: Application Gateways should be Zone Resilient | Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | DeployIfNotExists, Disabled | 1.0.1-preview |
[Preview]: Firewalls should be Zone Resilient | Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Load Balancers should be Zone Resilient | Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: NAT gateway should be Zone Aligned | NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Public IP addresses should be Zone Resilient | Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.1.0-preview |
[Preview]: Public IP Prefixes should be Zone Resilient | Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Virtual network gateways should be Zone Redundant | Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections | This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 | Audit, Disabled | 1.0.0 |
All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
Azure Application Gateway should be deployed with Azure WAF | Requires Azure Application Gateway resources to be deployed with Azure WAF. | Audit, Deny, Disabled | 1.0.0 |
Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 |
Azure Firewall Classic Rules should be migrated to Firewall Policy | Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy Analytics should be Enabled | Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance | Audit, Disabled | 1.0.0 |
Azure Firewall Policy should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy should have DNS Proxy Enabled | Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server | Audit, Disabled | 1.0.0 |
Azure Firewall should be deployed to span multiple Availability Zones | For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard - Classic Rules should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard should be upgraded to Premium for next generation protection | If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. | Audit, Deny, Disabled | 1.0.0 |
Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
Azure VPN gateways should not use 'basic' SKU | This policy ensures that VPN gateways do not use 'basic' SKU. | Audit, Disabled | 1.0.0 |
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
Bot Protection should be enabled for Azure Application Gateway WAF | This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies | Audit, Deny, Disabled | 1.0.0 |
Bot Protection should be enabled for Azure Front Door WAF | This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies | Audit, Deny, Disabled | 1.0.0 |
Configure a private DNS Zone ID for blob groupID | Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for blob_secondary groupID | Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for dfs groupID | Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for dfs_secondary groupID | Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for file groupID | Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for queue groupID | Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for queue_secondary groupID | Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for table groupID | Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for table_secondary groupID | Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for web groupID | Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for web_secondary groupID | Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | DeployIfNotExists, Disabled | 1.2.0 |
Configure Azure Automation accounts with private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Cache for Redis Enterprise to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Cache for Redis to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Cognitive Search services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Device Update for IoT Hub accounts to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure HDInsight clusters to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure Managed Grafana workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Media Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Media Services with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Migrate resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Monitor Private Link Scope to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Synapse workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. | DeployIfNotExists, Disabled | 2.0.0 |
Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Web PubSub Service to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. | DeployIfNotExists, Disabled | 1.0.0 |
Configure BotService resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Cognitive Services accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | DeployIfNotExists, Disabled | 1.0.1 |
Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | DeployIfNotExists, Disabled | 2.0.0 |
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace | Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Configure disk access resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Event Hub namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Configure IoT Hub device provisioning instances to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. | DeployIfNotExists, Disabled | 1.0.0 |
Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure private DNS zones for private endpoints that connect to Azure Data Factory | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Private Link for Azure AD to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Service Bus namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.1 |
Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.2 |
Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | deployIfNotExists, DeployIfNotExists, Disabled | 1.1.0 |
Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | deployIfNotExists, DeployIfNotExists, Disabled | 1.1.0 |
Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
Deploy - Configure IoT Central to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | deployIfNotExists | 1.1.0 |
Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | DeployIfNotExists, Disabled | 1.1.1 |
Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 2.0.1 |
Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | DeployIfNotExists | 1.0.0 |
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/networksecurityperimeters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for microsoft.network/vpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/vpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/vpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.network/vpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkanalytics/dataproducts. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/baremetalmachines. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/clusters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/clusters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/clusters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/storageappliances. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkcloud/storageappliances to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkfunction/azuretrafficcollectors. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Audit, Deny, Disabled | 1.0.0 |
Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.1.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Audit, Deny, Disabled | 1.0.0 |
Network interfaces should be connected to an approved subnet of the approved virtual network | This policy blocks network interfaces from connecting to a virtual network or subnet that is not approved. https://aka.ms/VirtualEnclaves | Audit, Deny, Disabled | 1.0.0 |
Network interfaces should disable IP forwarding | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. | deny | 1.0.0 |
Network interfaces should not have public IPs | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. | deny | 1.0.0 |
Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Audit, Disabled | 1.0.1 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.1 |
Public IPs and Public IP prefixes should have FirstPartyUsage tag | Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. | Audit, Deny, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Subnets should be private | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny, Disabled | 1.0.0 |
Virtual Hubs should be protected with Azure Firewall | Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify, Audit, Disabled | 1.0.1 |
Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | AuditIfNotExists, Disabled | 1.0.0 |
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users | Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant | Audit, Deny, Disabled | 1.0.0 |
Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Audit, Deny, Disabled | 1.0.0 |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Audit, Deny, Disabled | 1.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.