Azure policy looking for a specific tag on vnets and then deploying a virtual wan hub connection to that vnet

Question

I have managet to create a policy with a rule which searches for all vnets containing a specific tag. If it finds a vnet with this tag it should do a template deployment where it creates a virtual wan hub connection to that vnet. The virtual Wan is in a separate subscriptionso the deployment is running in a sub template. My question is how can i get the Vnet ID from the vnet in the policy rule and put it in the sub deployment in:

"remoteVirtualNetwork": { "id": "" },

Is there any way to get the ID of the vnet in the if condition? This is the policy rule:

                  "policyRule":  {
                                      "if":  {
                                                 "allOf":  [
                                                               {
                                                                   "field":  "type",
                                                                   "equals":  "Microsoft.Network/virtualNetworks"
                                                               },
                                                               {
                                                                   "field": "[concat('tags[', parameters('tagName'), ']')]",
                                                                   "equals": "[parameters('tagValue')]"
                                                               }
                                                           ]
                                             },

I'm guessing that if there was a Microsoft.Network/virtualNetworks/id property, I could use that, but this doesn't seem to exist. Is there something I'm missing?

Answer 1

@Thomas Stubergh You can use the Virtual Networks - List API to request the virtual networks in a resource group. The response has the ID value as shown below-

{
"value": [
{
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet1",
"name": "vnet1",
"type": "Microsoft.Network/virtualNetworks",
"location": "westus",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/8"
]
}

You could also look into the built-in policy definitions as examples to understand how to build policies to achieve what you are looking for.

Please let me know if you need any further assistance and I will be glad to assist you further. Thank you!

• Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 2

Hi. I Appreciate your reply and idea, but what I'm trying to do is to list all vnets in subscriptions within the scope of a management group. We have a lot of vnet in many resource groups so iI'm trying to get a more automatic solution. I have managed to get som more progression though, but still not achieved the final goal. Take a look at what I have psoted at stackoverflow as well: https://stackoverflow.com/questions/66475131/trying-do-to-a-virtual-wan-hub-connection-automatically-based-on-a-tag-value-on

I figured out that i don't need the acual ID, but rather the vnet name, but i'm struggling to understand how to get that value from the result from the if contition. I think I might need to ues the field function, but as this deployment is a bit complex, it seems I need to pass it to a nested deployment and for some reason it the won't reckognize the parameter.

I have searched and looked at so many examples and documentation that I've almost given up....Almost....