Deny inbound NSG Rule creation via Azure Policy by info.odysseyx@gmail.com September 11, 2024 written by info.odysseyx@gmail.com September 11, 2024 0 comment 21 views 21 This blog post covers how to deny the creation of an inbound network security group rule if the inbound NSG rule contains Internet, All, or 0.0.0.0/0 as the source and the destination port contains 22, 3389, or *. memo: If the user has the necessary permissions, you can create an exemption for a resource, which will prevent this policy from taking effect for that resource. Creating a custom policy definition To create a custom policy, follow these steps: 1) In the Azure portal, access the Azure Policy, Definitions blade.2) Create a new policy definition. 3) Add a definition location (the subscription that will host this policy), a name, and a description.4) Enable the existing category and select Networking (see below): 5) Then add the policy definition below to your rule. Field: memo: You can add additional default ports that this policy will be evaluated on. These are the default ports used by this policy. “*”,“22”,“3389”, { "mode": "All", "parameters": { "blockedports": { "type": "Array", "metadata": { "displayName": "blocked ports", "description": "The list of ports to block" }, "defaultValue": [ "*", "22", "3389" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", "in": "[parameters('blockedports')]" }, { "not": { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", "in": "[parameters('blockedports')]" } } ] }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", "in": [ "*", "Internet", "0.0.0.0/0" ] }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", "in": [ "*", "Internet", "0.0.0.0/0" ] } ] } ] } ] }, "then": { "effect": "deny" } } } 6) Then save the policy. Policy Assignment You can now assign this policy as per your requirements. 1) Azure Policy page and Access Definitions blade -> Select the custom policy you created and click Assign Policy (You can assign it at subscription level or specific resource group as per your business requirement). 2) Update the port list when assigning a policy. Go to the Parameters tab, then uncheck the box “Show only parameters that require input or review” and select one of the three dots next to the box “Blocked ports”. 3) The editor will open. Update the ports you want to include in this policy and click ‘Save’. 4) Click Next, then click Next and update the “Non-Compliant Message” to suit your requirements. 5) Click Review + Create and review the output. After confirmation, create the policy assignment. It usually takes 5 to 15 minutes for policy assignments to take effect. To update the port list after assigning a policy, edit the policy assignment, go to the Parameters tab, and edit the ports. disclaimerThe products and options presented in this document are subject to change. This document reflects custom policies for Azure network security rules as of September 2024. If the user has the necessary permissions, you can create an exemption for a resource, which will prevent this policy from taking effect for that resource. References Tutorial: Creating a custom policy definition – Azure Policy | Microsoft Learn Create policies programmatically – Azure Policy | Microsoft Learn Troubleshooting common errors – Azure Policy | Microsoft Learn Azure Policy overview – Azure Policy | Microsoft Learn Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Security Update for SQL Server 2016 SP3 GDR next post Security Update for SQL Server 2016 SP3 Azure Connect Feature Pack You may also like Why Texas is the ideal home for Apple’s AI Data Center February 27, 2025 AdTAC Agency Cheg has sued Google in AI Overviews February 26, 2025 Apple’s iPhone 16-Launch Launch Event: A sign of things coming? February 25, 2025 Intel’s Modular concept: Why is the time to rewrite the laptop design February 24, 2025 Ride-sharing and Robotaxis Decopled Revenue Model Problems February 17, 2025 Web Raiders run the Global Brut Force attack from 2.5M IPS February 12, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.