Manage NSG association on Subnets via Azure Policy by info.odysseyx@gmail.com September 12, 2024 written by info.odysseyx@gmail.com September 12, 2024 0 comment 18 views 18 This blog article covers how to use a custom Azure Policy to deny the creation of a subnet in a virtual network if the subnet does not have a network security group associated with it. To create a custom policy, follow these steps: 1) In the Azure portal, access the Azure Policy, Definitions blade.2) Create a new policy definition. 3) Add a definition location (the subscription that will host this policy), a name, and a description.4) Enable the existing category and select Networking (see below): 5) Then add the policy definition below to the Rules field. memo: You can adjust the parameters below as needed, the example below excludes the following subnets. You can add more subnets as desired. “Gateway subnet”,“AzureFirewallSubnet”,“AzureBastionSubnet”,“AzureFirewallManagementSubnet” { "mode": "All", "parameters": { "excludedSubnets": { "type": "Array", "metadata": { "displayName": "Excluded subnets", "description": "The list of subnet names to exclude from the policy" }, "defaultValue": [ "GatewaySubnet", "AzureFirewallSubnet", "AzureBastionSubnet", "AzureFirewallManagementSubnet", "YourCustomSubnet" ] } }, "policyRule": { "if": { "anyOf": [ { "allOf": [ { "field": "type", "equals": "Microsoft.Network/virtualNetworks" }, { "not": { "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id", "exists": true } }, { "field": "Microsoft.Network/virtualNetworks/subnets[*].name", "notIn": "[parameters('excludedSubnets')]" } ] }, { "allOf": [ { "field": "type", "equals": "Microsoft.Network/virtualNetworks/subnets" }, { "not": { "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", "exists": true } }, { "field": "name", "notIn": "[parameters('excludedSubnets')]" } ] } ] }, "then": { "effect": "deny" } } } 6) Then save the policy. You can now assign this policy as per your requirements. 1) Azure Policy page and Access Definitions blade -> Select the custom policy you created and click Assign Policy (You can assign it at subscription level or specific resource group as per your business requirement). 2) Update the list of excluded subnets when assigning a policy. Go to the Parameters tab, then uncheck the box “Show only parameters that require input or review” and select one of the three dots next to the box “Excluded Subnets”. 3) The editor will open. Update the subnet name you want to exclude and click ‘Save’. 4) Click Next, then click Next and update the “Non-Compliant Message” to suit your requirements. 5) Click Review + Generate and review the output. After confirmation, create the policy assignment. Policy assignment usually takes about 5-15 minutes to take effect. Update the list of excluded subnets after policy assignment. 1) In the Azure portal, access the Azure Policy, Assignments blade and search for the assignment. 2) Click on the name to open the assignment. 3) Select Edit Assignment 4) Go to the Parameters tab and uncheck the box “Show only parameters that require input or review” and select from the three dots next to the box “Excluded subnets”. 5) The editor will open. Update the subnet name you want to exclude and click ‘Save’. disclaimer The products and options presented in this document are subject to change. This document reflects custom policies for Azure subnets as of September 2024. You can create exceptions for resources if the user has the required permissions, which will render the policy ineffective for that resource. Some subnets managed by Azure services may not require an NSG. Ensure these subnets are added to the list of excluded subnets or use policy exceptions as needed. To avoid unexpected outages and ensure that your requirements are met, we recommend testing your policies in a non-production environment before applying them to your production environment. References Tutorial: Creating a custom policy definition – Azure Policy | Microsoft Learn Create policies programmatically – Azure Policy | Microsoft Learn Troubleshooting common errors – Azure Policy | Microsoft Learn Azure Policy overview – Azure Policy | Microsoft Learn Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post SQL Server がインストールされていないAzure VM において、「Failed to find SQL instance to target」を含むメッセージが記録される next post Field Sales Executive Jobs Available at Fresh Duniya Manpower Across Major Indian Cities You may also like Believe Hyp about Quantum Protection: Report March 11, 2025 Google Jemi is coming to Android Auto but the rollout is hassle March 10, 2025 How the drones are transmitting security on the US southern border March 7, 2025 Remember a uninterrupted tech trailballs: Tom Mitchell March 7, 2025 New HMD X 1 ‘Safe’ Phone: Protection for Parents, Great Factors for Kids March 5, 2025 Opera adds Agent AI to his browser March 4, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.