Forum Discussion
Policy to block the creation of NSGs with rules that allow RDP or SSH access from the Internet
I have been testing the Azure policy to block the creation of NSGs (Network Security Group) with rules that allow RDP or SSH access from the internet, I have noticed that it works correctly when tested with a private IP but when I use a public IP does not apply the Policy, could you support me on how to make it also apply in public IP?
My JSON policy:
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[parameters('deniedPorts')]"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[parameters('deniedPorts')]"
}
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"in": [
"*",
"Internet"
]
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"deniedPorts": {
"type": "Array",
"metadata": {
"displayName": "Ports to block",
"description": "The inbound ports that should be blocked"
}
}
}
}
3 Replies
Are you following this article?
https://markgossa.com/2018/11/azure-policy-deny-inbound-rdp-from.html
Yes, but the Policy does not apply to public IPs.
- Hi, Is there another option you could consider e.g. to block public IP creation in general (where not required) and then you can reduce the number of PIP's and govern RDP/SSH access to these more easily/monitor it?
