Sample - Audit if Network Watcher is not enabled for region

This policy audits if Network Watcher is not enabled for a specified region. You specify the name of the region to check whether Network Watcher is enabled.

If you don't have an Azure subscription, create a free account before you begin.

Sample template

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "audit-network-watcher-existence",
    "properties": {
        "displayName": "Audit if Network Watcher is not enabled for region",
        "description": "This policy audits if Network Watcher is not enabled for a selected region.",
        "parameters": {
            "location": {
                "type": "string",
                "metadata": {
                    "displayName": "Audit if Network Watcher is not enabled for region",
                    "description": "This policy audits if Network Watcher is not enabled for a selected region.",
                    "strongType": "location"
                }
            }
        },
        "policyRule": {
            "if": {
                "field": "type",
                "equals": "Microsoft.Network/virtualNetworks"
            },
            "then": {
                "effect": "auditIfNotExists",
                "details": {
                    "type": "Microsoft.Network/networkWatchers",
                    "resourceGroupName": "NetworkWatcherRG",
                    "existenceCondition": {
                        "field": "location",
                        "equals": "[parameters('location')]"
                    }
                }
            }
        }
    }
}

You can deploy this template using the Azure portal, with PowerShell or with the Azure CLI.

Deploy with the portal

Deploy the Policy sample to Azure

Deploy with PowerShell

This sample requires Azure PowerShell. Run Get-Module -ListAvailable Az to find the version. If you need to install or upgrade, see Install Azure PowerShell module.

Run the Connect-AzAccount cmdlet to connect to Azure.

$definition = New-AzPolicyDefinition -Name "audit-network-watcher-existence" -DisplayName "Audit if Network Watcher is not enabled for region" -description "This policy audits if Network Watcher is not enabled for a selected region." -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Network/audit-network-watcher-existence/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Network/audit-network-watcher-existence/azurepolicy.parameters.json' -Mode All
$definition
$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope>  -location <Audit if Network Watcher is not enabled for region> -PolicyDefinition $definition
$assignment

Clean up PowerShell deployment

Run the following command to remove the resource group, VM, and all related resources.

Remove-AzResourceGroup -Name myResourceGroup

Deploy with Azure CLI

To run this sample, install the latest version of the Azure CLI. To start, run az login to create a connection with Azure.

Samples for the Azure CLI are written for the bash shell. To run this sample in Windows PowerShell or Command Prompt, you may need to change elements of the script.

az policy definition create --name 'audit-network-watcher-existence' --display-name 'Audit if Network Watcher is not enabled for region' --description 'This policy audits if Network Watcher is not enabled for a selected region.' --rules 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Network/audit-network-watcher-existence/azurepolicy.rules.json' --params 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Network/audit-network-watcher-existence/azurepolicy.parameters.json' --mode All

az policy assignment create --name <assignmentname> --scope <scope> --policy "audit-network-watcher-existence"

Clean up Azure CLI deployment

Run the following command to remove the resource group, VM, and all related resources.

az group delete --name myResourceGroup --yes

Next steps