Share via

Azure Policy- Remediating Managed Disks to Disable Public Access+Disable Private Endpoint

Aditya Garg 61 Reputation points
2023-07-02T10:00:17.0733333+00:00

Hello Microsoft and Community,

There is a built in policy for Managed Disks:

Managed disks should disable public network access

and there is one remediation/configuration called:

Configure managed disks to disable public network access

But,on closer observation, this fix is trying to enforce the use of Private Endpoints.

In below portal navigation, we have 3 options :

-Enable public access from all networks

-Disable public access and enable private access

-Disable public and private access

Azure Disk NW Options

Here is what,selecting each leads to for the two parameters(PublicNetworkAccess and NetworkAccessPolicy):

User's image

It is highly recommended to add another policy to configure/enforce the last option which disables both public and private access.

It is highly recommended to add another policy to configure/enforce the last option which disables both public and private access.

Use case being that disk import/export is not needed in an environment and the use of private endpoints is not desired.

Any thoughts on tweaking existing remediation policy are welcome.

2.Is it possible to inspect ALL the environment disks in one go ie what NETWORKING setting is applied in context of this policy?

(Unable to see particular column for this under Disks blade on Azure portal)

Tried CLI,but no luck:

az [ ~ ]$ az disk list -o table
Name                                                         ResourceGroup    Location    Zones    Sku          OsType    SizeGb    ProvisioningState
-----------------------------------------------------------  ---------------  ----------  -------  -----------  --------  --------  -------------------
TestVMforAzurepolicy_disk1_2944a91b6d29448da153fe2bc6b23aae  DEMO-POLICY-RG   eastus               Premium_LRS  Linux     30        Succeeded
az [ ~ ]$ 
az [ ~ ]$ 
az [ ~ ]$ az disk show
(--resource-group --name | --ids) are required
az [ ~ ]$

Kind regards,

Aditya Garg

Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
583 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
809 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aditya Garg 61 Reputation points
    2023-07-02T10:16:18.6633333+00:00

    For implementing Disable public and private access-

    Perhaps I need to :

    1.remove the following lines of code

    <Under parameters>

          "diskAccessId": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Id for the DiskAccess in the given location to which the disk resource needs to be linked",
          "strongType": "Microsoft.Compute/diskAccesses",
          "description": "Disk access resources enable exporting managed disks securely via private endpoints. Learn more at: https://aka.ms/disksprivatelinksdoc"
        }
      }

    <Under effect/operations>

     {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/disks/diskAccessId",
              "value": "[parameters('diskAccessId')]"
            },

    2.And modify the other operations as:

     {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "value": "DenyAll"
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/disks/publicNetworkAccess",
              "value": "Disabled"
            }
  2. Aditya Garg 61 Reputation points
    2023-07-02T11:20:09.14+00:00

    For query 2(knowing what disk setting is in use for networking across the subscription), this seems to be one way based on my research:

    Get-AzDisk |Format-Table managedBy,PublicNetworkAccess,NetworkAccessPolicy

    REF:here and here

    The results must be manually compiled to make sense from the 2 values:

    User's image

    Alternatively,

    In a scenario requiring to check beforehand how a Policy like Managed disks should disable public network access compares vis-a-vis current environment,

    Referring the JSON for policy and plugging same into Azure Resource Graph Explorer(on portal) should work:

    resources
| where type == "microsoft.compute/disks"
| where properties['networkAccessPolicy'] != "DenyAll" and properties['networkAccessPolicy'] != "AllowPrivate"
| where properties['publicNetworkAccess'] != "Disabled"

    Regards,

    Aditya Garg

  3. Westmacott Claire 1 Reputation point
    2024-04-29T12:51:39.3766667+00:00

    Did you work out what you needed to do here with Policy?

    0 comments
  4. Winter, Ashley 0 Reputation points
    2024-05-08T14:37:28.9533333+00:00

    This works from the CLI - you could just create a runbook on schedule with it or whatever.

    $disks = Get-AzDisk | Where-Object {$_.PublicNetworkAccess -eq 'Enabled'}

    foreach ($disk in $disks) {$disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "DenyAll" | Update-AzDisk -resourcegroup $($disk.resourcegroupname) -diskname $($disk.name)}

    0 comments