How to Implement Network Policy to Restrict Network Access to Azure Resources Based on IP Addresses?

Question

Hello, I’m looking for guidance on how to automatically restrict network inbound and outbound traffic to all Azure resources. Specifically, I want to ensure that only users with certain IP addresses can access the endpoints. The challenge is that I’m not sure which specific resources will be created, so I need a solution that covers all Azure resources. When a resource is created I know that the user can assign either a public IP or a private IP to their resources. Regardless of whether a resource has a public or private IP, I want to ensure that the endpoint is accessible only to a certain IP addresses.
What I'm looking for is to implement a network policy that act as an additional layer of protection, similar to a service mesh concept. Could you please provide recommendations, guidance or best practices for achieving this? Ideally, I’d like to set up a policy or configuration that applies to any future Azure resources created within our environment. Thank you in advance for your assistance!

Answer 1

What you are looking for does not exist in Azure. There is no network policy that covers all possible Azure resources. Each resource type has a different way of configuring network restrictions or may not support it all. There are things you could do with Azure policy to restrict resources so that they must have network restrictions enabled and even that they must have specific IPs in the network restrictions, but you would need to create them for each resource type.

Answer 2

If I may suggest, have you looked at Azure Entra SASE?
The GSA agent has many capabilities on controlling endpoint access by IP and port.
However it may not have the capability to block by source ip but rather by whatever is supported by Conditional Access in Azure Entra. Reference: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access