Deny inbound NSG Rule creation via Azure Policy by info.odysseyx@gmail.com September 11, 2024 written by info.odysseyx@gmail.com September 11, 2024 0 comment 12 views 12 This blog post covers how to deny the creation of an inbound network security group rule if the inbound NSG rule contains Internet, All, or 0.0.0.0/0 as the source and the destination port contains 22, 3389, or *. memo: If the user has the necessary permissions, you can create an exemption for a resource, which will prevent this policy from taking effect for that resource. Creating a custom policy definition To create a custom policy, follow these steps: 1) In the Azure portal, access the Azure Policy, Definitions blade.2) Create a new policy definition. 3) Add a definition location (the subscription that will host this policy), a name, and a description.4) Enable the existing category and select Networking (see below): 5) Then add the policy definition below to your rule. Field: memo: You can add additional default ports that this policy will be evaluated on. These are the default ports used by this policy. “*”,“22”,“3389”, { "mode": "All", "parameters": { "blockedports": { "type": "Array", "metadata": { "displayName": "blocked ports", "description": "The list of ports to block" }, "defaultValue": [ "*", "22", "3389" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", "in": "[parameters('blockedports')]" }, { "not": { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", "in": "[parameters('blockedports')]" } } ] }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", "in": [ "*", "Internet", "0.0.0.0/0" ] }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", "in": [ "*", "Internet", "0.0.0.0/0" ] } ] } ] } ] }, "then": { "effect": "deny" } } } 6) Then save the policy. Policy Assignment You can now assign this policy as per your requirements. 1) Azure Policy page and Access Definitions blade -> Select the custom policy you created and click Assign Policy (You can assign it at subscription level or specific resource group as per your business requirement). 2) Update the port list when assigning a policy. Go to the Parameters tab, then uncheck the box “Show only parameters that require input or review” and select one of the three dots next to the box “Blocked ports”. 3) The editor will open. Update the ports you want to include in this policy and click ‘Save’. 4) Click Next, then click Next and update the “Non-Compliant Message” to suit your requirements. 5) Click Review + Create and review the output. After confirmation, create the policy assignment. It usually takes 5 to 15 minutes for policy assignments to take effect. To update the port list after assigning a policy, edit the policy assignment, go to the Parameters tab, and edit the ports. disclaimerThe products and options presented in this document are subject to change. This document reflects custom policies for Azure network security rules as of September 2024. If the user has the necessary permissions, you can create an exemption for a resource, which will prevent this policy from taking effect for that resource. References Tutorial: Creating a custom policy definition – Azure Policy | Microsoft Learn Create policies programmatically – Azure Policy | Microsoft Learn Troubleshooting common errors – Azure Policy | Microsoft Learn Azure Policy overview – Azure Policy | Microsoft Learn Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Security Update for SQL Server 2016 SP3 GDR next post Security Update for SQL Server 2016 SP3 Azure Connect Feature Pack You may also like 7 Disturbing Tech Trends of 2024 December 19, 2024 AI on phones fails to impress Apple, Samsung users: Survey December 18, 2024 Standout technology products of 2024 December 16, 2024 Is Intel Equivalent to Tech Industry 2024 NY Giant? December 12, 2024 Google’s Willow chip marks breakthrough in quantum computing December 11, 2024 Job seekers are targeted in mobile phishing campaigns December 10, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.