question

YasminFitri-8530 avatar image
0 Votes"
YasminFitri-8530 asked YasminFitri-8530 commented

Azure Policy for NSG Security Rules

I have following policy rules:

"policyRule": {
"if": {
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 100
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 999
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 3501
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 4096
}
]
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}

The purpose of the policy is to prevent changes in NSG within certain priority range. However, I noticed that not only NSG are being affected by this policy. I saw that Microsoft.Network/networkIntentPolicies and Microsoft.Netwok/virtualNetwok is also being evaluated. Is there a way to fix this?

azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

olufemiaMSFT avatar image
0 Votes"
olufemiaMSFT answered YasminFitri-8530 commented

Hello anonymous user , If I understand correctly, your goal is to evaluate NSG resources and not /NetworkIntentPolicies or /vitualNetwork resources.

If yes, then my first suggestion is to verify the location where your Policy definition file is currently saved to.
The location determines the scope at which the Policy initiative or rules can be assigned.
Resources must be under the Policy definition's resource hierarchy for them to be targeted for assignment.

Are all your resources deployed under the same subscription or management group? If so, then that could be the reason why your deny rule applies to the other resources. To resolve, explore the option to create an exclusion-based assignment scope for the set of resources you wish to exclude from policy evaluation using the array property properties.notScopes. More information here.

Hope this helps but don't hesitate to ping if you have any follow-up questions.

94559-assignmentscope.png

Cheers.



assignmentscope.png (86.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But I already defined in the policy definition to check nsg security rules:

{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
}

so I dont understand why other resources are being evaluated

0 Votes 0 ·

Hello, anonymous user , without deeper review on your policy files and environment, it is hard to tell why this is happening.
Here's the order of evaluation for deny effect if that helps. Also let me know if adding the exclusion clause is a feasible workaround.

CHeers.


0 Votes 0 ·

i tried with exclusions and it works/ Thank you

0 Votes 0 ·