question

rathishbin avatar image
rathishbin asked ·

Azure policy to validate mandatory NSG rules during deployment not working as expected

I have the following requirement:

Users should not deploy NSG without the mandatory security rules. if the mandatory rule is not present or if the properties for the security rule are different than expected then the deployment should fail.


Below is the logic used. the policy deny is activated if any change is attempted from the portal directly however when the NSG rule is updated through ansible or powershell the policy check do not work.

 why is the policy behaving differently for different mode of updations:

 "if": {
     "allof": [
       {
         "anyOf": [
           {
             "field": "type",
             "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
           },
           {
             "field": "type",
             "equals": "Microsoft.Network/networkSecurityGroups"
           }
         ]
       },
       {
         "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
         "equals": "Allow"
       },
       {
         "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
         "equals": "1040"
       },
       {
         "anyOf": [
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
             "notequals": "Inbound"
           },
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/protocol",
             "notequals": "TCP"
           },
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
             "notequals": "*"
           },
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes",
             "notin": [
               "10.23.1.11/28",
               "10.23.1.11/28"
                     ]
           }
         ]
       }
     ]
   },
   "then": {
     "effect": "deny"
   }
 }
azure-policy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DCtheGeek avatar image
DCtheGeek answered ·

I believe part of the issue is checking for two different resource types in the definition. Since the securityRules aliases (as a [*] array alias) are on the NSG, I'd evaluate only the Microsoft.Network/networkSecurityGroups type. There's an example pretty similar to this in the Community Policy repo, I'd check it out and just adapt the securityRules properties/settings to your needs: https://github.com/Azure/Community-Policy/blob/master/Policies/Network/deny-nsgs-with-rules-with-source-any/azurepolicy.json. It uses count to evaluate each instance of the securityRules array alias.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DCtheGeek Thanks for the sharing the link. I will work on the policy again during the weekend to see if this makes any difference.

0 Votes 0 · ·