Azure Policy built-in definitions for Azure Virtual Network

This page is an index of Azure Policy built-in policy definitions for Azure Virtual Network. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Virtual Network

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 Audit, Disabled 1.0.0
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.0
Azure firewall policy should enable TLS inspection within application rules Enabling TLS inspection is recommended for all application rules to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect Audit, Deny, Disabled 1.0.0
Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect Audit, Deny, Disabled 1.0.0
Azure VPN gateways should not use 'basic' SKU This policy ensures that VPN gateways do not use 'basic' SKU. Audit, Disabled 1.0.0
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature Audit, Deny, Disabled 1.0.0
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. DeployIfNotExists, Disabled 1.0.0
Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.1.0
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.1.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. deployIfNotExists 1.0.1
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature Audit, Deny, Disabled 1.0.0
Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps Audit, Deny, Disabled 1.0.0
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0
Flow logs should be enabled for every network security group Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. deny 1.0.0
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. deny 1.0.0
Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Audit, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subscription should configure the Azure Firewall Premium to provide additional layer of protection Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium AuditIfNotExists, Disabled 1.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0
Virtual networks should be protected by Azure DDoS Protection Standard Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. Modify, Audit, Disabled 1.0.0
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0
Web Application Firewall (WAF) should enable all firewall rules for Application Gateway Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Audit, Deny, Disabled 1.0.0

Tags

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add a tag to resource groups Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Add a tag to resources Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. modify 1.0.0
Add a tag to subscriptions Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. modify 1.0.0
Add or replace a tag on resource groups Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. modify 1.0.0
Add or replace a tag on resources Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. modify 1.0.0
Add or replace a tag on subscriptions Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. modify 1.0.0
Append a tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0
Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0
Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.1
Inherit a tag from the resource group Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0
Inherit a tag from the resource group if missing Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Inherit a tag from the subscription Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0
Inherit a tag from the subscription if missing Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. deny 1.0.0
Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. deny 1.0.1
Require a tag on resource groups Enforces existence of a tag on resource groups. deny 1.0.0
Require a tag on resources Enforces existence of a tag. Does not apply to resource groups. deny 1.0.1

General

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. deny 1.0.0
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. deny 1.0.0
Audit resource location matches resource group location Audit that the resource location matches its resource group location audit 2.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Audit, Deny, Disabled 2.0.0

Next steps