Azure Blueprint: Allow resource only in specifc resource group

Question

Hello all,&nbsp;We would like to use blueprint to govern azure subscriptions. Within the blueprint we would like to deploy some kind of "core networking" resource group containing a VNET, which we can achieve using ARM template. So far so good, but we would like to prevent other VNET's being deployed to the subscription. I guess it should be possible somehow using policy and exclude the "core networking" resource group, but I havn't found a way jet.&nbsp;&nbsp;

michael rueefli · Answer

abovethekloud&nbsp;
AFAIK there's no alias for resource group name for policy evaluation.
You could restrict vNICs to a certain vNet using this example:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/use-approved-vnet-vm-nics
You might want to enhance the example to allow an array of allowed vNets for your vNics.
&nbsp;
-Michael

camarvin · Answer

abovethekloud&nbsp;
&nbsp;
For the policy, check out the https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#value and the resourcegroup() function.
&nbsp;
Something like (not tested):
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "like": "Microsoft.Network/*"
      },
      {
        "value": "[resourceGroup().name]",
        "notEquals": "CoreNetworking"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
&nbsp;&nbsp;

Forum Discussion

Azure Blueprint: Allow resource only in specifc resource group

2 Replies

Resources