Forum Discussion
MicrosoftPolicy trigger for Microsoft.Network/virtualNetworks/subnets/join/action
Hello Team,
I have a use case where I do not want any resource to connect to my VNET except a few allowed ones.
We are designing a secured containerized environment for our customers with very strict access control policies. However, we are not seeing the policy triggered for the network join operation.
For testing purpose, I used the following policy just to capture and deny all the operations on virtual network and assigned this policy to the resource group scope where my VNET is present: -
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
"then": {
"effect": "deny"
}
}
}
After this policy is assigned to my resource group, I am not able to create a VNETs in my resource group, however, I am still able to join an existing VNET in this resource group.
Looks like policy is not even getting evaluated/triggered for the network join action. Can you please suggest how can we deny this action?
3 Replies
Aniruddha1248Policy assignments are a problem as policies are effectual at the scope they are assigned.
We don't want to put an assignment at a very broad scope as subscription but want to restrict it only to our resource group that we create. And the issue we are seeing is that resources from other resource group are still able to do vnet join as they do not have these policy assignments.
- This is going to be tricky when the requirement is to restrict any resource from using your VNET except the allowed resources because there's many different types of IaaS/PaaS resources that can have a network interface and VNET integration.
Have you validated that there's an Azure Policy alias which matches the resource property you want to govern/restrict here?
