question

DaveDeBarr-9188 avatar image
0 Votes"
DaveDeBarr-9188 asked DaveDeBarr-9188 commented

Azure Policy Deny Not Working

I created the policy listed below and assigned it to an Azure subscription without exemptions; but when someone tries to create a Virtual Machine (VM) that violates this policy, they are able to do so. It shows the new resource is non-compliant, but I was expecting it to prevent (deny) creation of the non-compliant resource.

What am I doing wrong?

 {
   "properties": {
     "displayName": "Deny Open Access",
     "policyType": "Custom",
     "mode": "All",
     "description": "Denies resources where the applicable network security group rules allows inbound access from all Internet sources",
     "metadata": {
       "category": "Custom Security",
     },
     "parameters": {},
     "policyRule": {
       "if": {
         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
           },
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
             "equals": "Allow"
           },
           {
             "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
             "equals": "Inbound"
           },
           {
             "anyOf": [
               {
                 "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                 "equals": "*"
               },
               {
                 "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                 "equals": "Internet"
               },
               {
                 "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                 "equals": "Any"
               }
             ]
           }
         ]
       },
       "then": {
         "effect": "deny"
       }
     }
   },
   "type": "Microsoft.Authorization/policyDefinitions",
 }




azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered DaveDeBarr-9188 commented

@DaveDeBarr-9188 Welcome to Microsoft Q & A Community Forum. By design, Default security rules are automatically created when you create Network Security Group(NSG) and you cannot remove these default rules or deny creating them, but you can override them by creating rules with higher priorities.

My suggestion would be to override the existing security rules with higher priorities. Here is an example of azure policy where it sets rule with higher priority.

 {
   "properties": {
     "displayName": "nsg-rule-101_1",
     "policyType": "Custom",
     "mode": "All",
     "parameters": {
       "allowedLocations": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed locations",
           "description": "The list of locations that can be specified when deploying resources.",
           "strongType": "location"
         }
       },
       "ruleNo": {
         "type": "String",
         "metadata": {
           "displayName": "Priority",
           "description": "The priority slot for the new rule"
         },
         "allowedValues": [
           "100",
           "101",
           "102",
           "103",
           "104",
           "105",
           "106",
           "107",
           "108",
           "109"
         ]
       },
       "info": {
         "type": "String",
         "metadata": {
           "displayName": "Description",
           "description": "A description"
         }
       },
       "destinationPortRanges": {
         "type": "Array",
         "metadata": {
           "displayName": "Port Number",
           "description": "Security rule port numbers must match these numbers"
         }
       },
       "subscriptionExclusions": {
         "type": "Array",
         "metadata": {
           "displayName": "Subscriptions Excluded",
           "description": "Subscriptions excluded from policy due to security exceptions"
         }
       },
       "protocol": {
         "type": "String",
         "metadata": {
           "displayName": "protocol",
           "description": "Protocol for the rule"
         },
         "allowedValues": [
           "*",
           "Tcp",
           "Udp"
         ]
       },
       "sourceType": {
         "type": "String",
         "metadata": {
           "displayName": "sourceType",
           "description": null
         },
         "allowedValues": [
           "IP Addresses",
           "Service Tag",
           "App Security Group"
         ]
       },
       "sourceValue": {
         "type": "String",
         "metadata": {
           "displayName": "sourceValue",
           "description": null
         }
       },
       "actionValue": {
         "type": "String",
         "metadata": {
           "displayName": "actionValue",
           "description": null
         },
         "allowedValues": [
           "Allow",
           "Deny"
         ]
       },
       "direction": {
         "type": "String",
         "metadata": {
           "displayName": "direction",
           "description": null
         },
         "allowedValues": [
           "Inbound",
           "Outbound"
         ]
       },
       "tagname": {
         "type": "String",
         "metadata": {
           "displayName": "Tag Name",
           "description": "Rule is not deployed if this tag exists on the NSG"
         },
         "allowedValues": [
           "NA",
           "NRMSException",
           "SkipNRMSCorp",
           "nrmsskipcorpnetsaw",
           "SkipNRMSSAW",
           "SkipNRMSDatabricks",
           "SkipNRMSRDPSSH",
           "SkipNRMSMgmt",
           "SkipNRMSHigh",
           "SkipNRMSVNet",
           "SkipNRMSLoadBal",
           "SkipNRMSDB",
           "SkipNRMSMedium"
         ],
         "defaultValue": "NA"
       }
     },
     "policyRule": {
       "if": {
         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.Network/networkSecurityGroups"
           },
           {
             "field": "location",
             "in": "[parameters('allowedLocations')]"
           },
           {
             "field": "[concat('tags[', parameters('tagName'), ']')]",
             "exists": "false"
           },
           {
             "field": "tags['SkipNRMSAll']",
             "exists": "false"
           },
           {
             "value": "[subscription().subscriptionId]",
             "notIn": "[parameters('subscriptionExclusions')]"
           }
         ]
       },
       "then": {
         "effect": "deployIfNotExists",
         "details": {
           "type": "Microsoft.Network/networkSecurityGroups/securityRules",
           "roleDefinitionIds": [
             "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
           ],
           "existenceCondition": {
             "anyOf": [
               {
                 "allOf": [
                   {
                     "field": "fullName",
                     "equals": "[concat(field('name'),'/','NRMS-Rule-', parameters('ruleNo'))]"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
                     "equals": "[parameters('ruleno')]"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                     "equals": "[parameters('sourceValue')]"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                     "equals": "[parameters('actionValue')]"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                     "equals": "[parameters('direction')]"
                   }
                 ]
               },
               {
                 "allOf": [
                   {
                     "field": "fullName",
                     "equals": "Deny-103"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
                     "equals": "103"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                     "equals": "Any"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                     "equals": "Deny"
                   },
                   {
                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                     "equals": "Inbound"
                   }
                 ]
               }
             ]
           },
           "deployment": {
             "properties": {
               "mode": "incremental",
               "template": {
                 "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                 "contentVersion": "1.0.0.0",
                 "parameters": {
                   "fullName": {
                     "type": "string"
                   },
                   "ruleNo": {
                     "type": "String"
                   },
                   "destinationPortRanges": {
                     "type": "Array"
                   },
                   "protocol": {
                     "type": "String"
                   },
                   "sourceType": {
                     "type": "String"
                   },
                   "sourceValue": {
                     "type": "String"
                   },
                   "actionValue": {
                     "type": "String"
                   },
                   "direction": {
                     "type": "String"
                   },
                   "info": {
                     "type": "String"
                   }
                 },
                 "variables": {
                   "SourceArr": "[split(parameters('sourceValue'),',')]",
                   "appSecGroups": {
                     "copy": [
                       {
                         "name": "values",
                         "count": "[length(variables('SourceArr'))]",
                         "input": {
                           "id": "[if(equals(parameters('sourceType'),'App Security Group'),if(contains(variables('SourceArr')[copyindex('values')],'subscriptions'), variables('SourceArr')[copyindex('values')],resourceId('Microsoft.Network/applicationSecurityGroups', variables('SourceArr')[copyindex('values')])), '')]"
                         }
                       }
                     ]
                   }
                 },
                 "resources": [
                   {
                     "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                     "name": "[concat(parameters('fullName'),'/','NRMS-Rule-', parameters('ruleNo'))]",
                     "apiVersion": "2017-10-01",
                     "scale": null,
                     "properties": {
                       "protocol": "[parameters('protocol')]",
                       "description": "[parameters('info')]",
                       "sourcePortRange": "*",
                       "sourceAddressPrefix": "[if(equals(parameters('sourceType'),'Service Tag'),parameters('sourceValue'),json('null'))]",
                       "sourceAddressPrefixes": "[if(equals(parameters('sourceType'),'IP Addresses'),variables('SourceArr'),json('null'))]",
                       "sourceApplicationSecurityGroups": "[if(equals(parameters('sourceType'),'App Security Group'),variables('appSecGroups').values,json('null'))]",
                       "destinationPortRanges": "[if (equals(1,length(parameters('destinationPortRanges'))), json('null'), parameters('destinationPortRanges'))]",
                       "destinationPortRange": "[if (equals(1,length(parameters('destinationPortRanges'))), parameters('destinationPortRanges')[0], json('null'))]",
                       "destinationAddressPrefix": "*",
                       "destinationApplicationSecurityGroups": [],
                       "access": "[parameters('actionValue')]",
                       "priority": "[parameters('ruleNo')]",
                       "direction": "[parameters('direction')]"
                     }
                   }
                 ]
               },
               "parameters": {
                 "fullName": {
                   "value": "[field('fullName')]"
                 },
                 "ruleNo": {
                   "value": "[parameters('ruleNo')]"
                 },
                 "destinationPortRanges": {
                   "value": "[parameters('destinationPortRanges')]"
                 },
                 "protocol": {
                   "value": "[parameters('protocol')]"
                 },
                 "sourceType": {
                   "value": "[parameters('sourceType')]"
                 },
                 "sourceValue": {
                   "value": "[parameters('sourceValue')]"
                 },
                 "actionValue": {
                   "value": "[parameters('actionValue')]"
                 },
                 "direction": {
                   "value": "[parameters('direction')]"
                 },
                 "info": {
                   "value": "[parameters('info')]"
                 }
               }
             }
           }
         }
       }
     }
   }
 }


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I try to create a non-compliant security rule, Azure will deny creation of this rule. This is expected behavior.

But if I create a new Virtual Machine (VM) with a non-compliant security rule, it allows creation of the VM with the non-compliant security rule. This is not expected behavior.

0 Votes 0 ·