Azure Load Balancer - Read Access using Azure Policy

Girish Prajwal 706

Hi Team,

I have created a policy today for Azure load balancer having read access. However, I was unsure on the parameters binding for "READ" access. Request you to validate and add the missing lines if any for the below template.

{
"properties": {
"displayName": "Azure Load Balancer Read access",
"policyType": "Custom",
"mode": "All",
"description": "All users should have Read access to Azure Load Balancers.\n",
"metadata": {
"category": "Network",
"createdBy": "a51a-55-4d-b6-40",
"createdOn": "2020-09-22T07:50:52.604408Z",
"updatedBy": null,
"updatedOn": null
},
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/LoadBalancers"
},
"then": {
"effect": "deny"
}
}
},

Regards,
Girish Prajwal

Girish Prajwal 706 Reputation points

2020-09-23T07:09:28.433+00:00

Could anyone from Azure Policy team answer my question. Is it too difficult or challenging. I don't understand.
SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-23T08:48:03.193+00:00

@Girish Prajwal Thanks for your comment. I am looking into it and will update you soon.
SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-23T15:07:55.63+00:00
@Girish Prajwal Please note Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. It means Azure Policy uses the ARM properties of azure resources. Based on the ARM properties, the aliases are created (most of them are available, this is applicable if only any alias isn't available )and then used to assess the compliance of resources.

For Azure Load balancer, to retrieve the list of available aliases the below PowerShell command can be used

$a=(Get-AzPolicyAlias -AliasMatch Microsoft.Network/loadBalancers).Aliases $a.Name

For your requirement, I presume Dynamic Groups feature from Azure Active Directory will be applicable. I will test it from my end and provide you a solution.
Girish Prajwal 706 Reputation points

2020-09-24T16:18:57.483+00:00

Any Testing Done with Dynamic Groups feature.

1 answer

SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-25T09:01:27.333+00:00

@Girish Prajwal Here are the steps to make sure all the users have read access to Azure Load Balancer.

1) Create the Dynamic Group by following the steps mentioned this document so that it includes all the users of type Member and Guest of Azure Active Directory.

2) Create a Custom Role which has contain read access permissions to the Azure Load Balancer by following the steps mentioned in this document.

3) Assign the Custom Role to the Dynamic Group so that the permissions will be applied to all the users. For more information, refer this document.

Kindly try above steps and revert if you have further questions.
Please sign in to rate this answer.
SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-28T05:03:13.577+00:00

@Girish Prajwal Did you get chance to view my previous comment ? Kindly let me know if you have any queries related to it.

Girish Prajwal 706 Reputation points

2020-09-28T10:52:43.2+00:00

In that case, why should I use Dynamic Groups Feature. I can straight away go with Azure RBAC custom roles and add it to the users/group.

SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-28T14:59:40.01+00:00

@Girish Prajwal Yes you can do that too. But whenever any new user is added, you have manually add it to the group. But Dynamic Groups reduces the administrative overhead of adding and removing users.

For example, when any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.

Girish Prajwal 706 Reputation points

2020-09-29T06:07:54.173+00:00

No, our users/devices are not dynamic in nature. We wont be adding the users once again after we finalized the group and kind of RBAC permissions to them.

SwathiDhanwada-MSFT 17,241 Reputation points

2020-09-29T08:58:24.583+00:00

@Girish Prajwal In such case, you can manually assign the role permissions to the group by following this document. Let me know if you any questions related to it.

Girish Prajwal 706 Reputation points

2020-09-30T14:19:23.367+00:00

From Policy to RBAC role assignment. Well, I will use it as is.

Thank you Swathi.
Sign in to comment