question

TomWhite-7037 avatar image
0 Votes"
TomWhite-7037 asked SwathiDhanwada-MSFT commented

Enforce route table 0.0.0.0/0 proxy route

Hi,

I am looking to enforce a default 0.0.0.0/0 route to hit a specific proxy for generic traffic. I have been able to make sure that this default route table gets created with policies similar to the below, but I cannot seem to do anything about people deleting it?

{
"policyType": "Custom",
"mode": "All",
"displayName": "create_default_route",
"description": "Create a route table entry for 0.0.0.0",
"policyRule": {
"if": {
"count": {
"field": "Microsoft.Network/routeTables/routes[]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[].nextHopIpAddress",
"equals": "[parameters('DefaultGW')]"
},
{
"field": "Microsoft.Network/routeTables/routes[].addressPrefix",
"equals": "0.0.0.0/0"
}
]
}
},
"notEquals": 1
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXXXXXX"
],
"conflictEffect": "deny",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Network/routeTables/routes[]",
"value": {
"name": "DEFAULT",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('DefaultGW')]",
"hasBgpOverride": false
}
}
}
]
}
}
},
"parameters": {
"DefaultGW": {
"type": "String",
"defaultValue": "1.2.3.4",
"metadata": {
"displayName": "Default Gateway IP",
"description": "A route table will be created by default for 0.0.0.0/0 to this IP."
}
}
},
"id": "/subscriptions/XXXXXXXXXXXX/providers/Microsoft.Authorization/policyDefinitions/XXXXXXXXXXXXXX",
"name": "XXXXXXXXXXXXXXXXX",
"type": "Microsoft.Authorization/policyDefinitions"
}


azure-policy
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT ·

@TomWhite-7037 Welcome to Microsoft Q & A Community Forum. I am looking into it and will respond to you in a while.

1 Vote 1 ·

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT commented

@TomWhite-7037 Apologies for late response. Currently, Azure Policy evaluates as follows

  • Greenfield (New or Updated Resources): Is run on a PUT or PATCH call to ARM

  • Brownfield (existing resources): Only evaluated for compliance

DELETE Rest API isn't evaluated by policy as of now. In your scenario, you can't restrict the deletion of route tables using azure policy. However, when the policy evaluation is done, the rule will be automatically added to the route table.

There is an open feedback item for the same. I would recommend you navigate here and share your feedback or suggestions directly with the responsible Azure feature team and clicking the vote button of your suggestion to raise visibility and priority on it.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TomWhite-7037 avatar image TomWhite-7037 ·

Hi,

Thank you for your response. I can see that the referenced post is 2 years old. I am a little confused as this is essentially enforcing forced tunneling with a policy, which the Microsoft docs say are a "critical security requirement for most enterprise IT policies": https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

Is this implying that customers should not use Azure policy to satisfy the critical security requirements of their enterprise IT policies? What is the recommended best practice to allow development teams the greatest possible freedom while guaranteeing that the traffic takes the correct route?

0 Votes 0 ·
SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT TomWhite-7037 ·

@TomWhite-7037 I understand that you would want to deny the deletion of the rules using Azure Policy. I have internally reached out to product team to get an update on this. I will share an update as soon as I get response from them.

Meanwhile, to mitigate your issues, I can suggest you couple of workarounds that can help you.

  1. You can limit the access of the users by providing them granular permissions. For example, except the specified users, all the users can be provided with read access. Create a custom role which has network read access.

  2. If the user deletes the Network rule, it will be logged as part of Activity Logs. You can create an activity log alert and Automation runbook which creates a remediation task to make existing resources compliant.


0 Votes 0 ·