Forum Discussion
How to prevent changes to the Firewalls and virtual network section for resources?
Is it possible to prevent someone from making changes to the configuration of virtual networks settings, specifically not allowing someone to add IP addresses for access via a Policy or a custom IAM role?
I've searched through the policies and have yet to find anything that is associated, but perhaps I am missing the policy or policies to prevent changes? If no polices exist, would I need to create a custom role for users for RGs so they can't make changes to the Firewalls and virtual network section?
Also, are changes made to any settings in the virtual networks settings section logged?
9 Replies
Hi to prevent changes on any resources you have to define an IAM strategy for your resources
Giving Owner role to those who need full access
Giving Contributor role to those who need to modify resources
Giving Reader role for those who need to read only
Giving Custom roles for specific needs
Giving role tied to resource for specific operations ( Virtual machine contributor for example )
You may know that roles are inherited from subscription and resource group so you need to consider that and finally create a map to be able to retrieve who have access to which and then revoke if necessary.
Once you have done that you can add read only lock at the resource group level so only people with right access will be able to remove them(That's why i suggest to identify those people above) . This lock will prevent any changes on any resource in resource group scope .
Thx for the info on IAM.
We looked at custom roles, but there are thousands of permissions per role and I have yet to find any documentation that specifically lists what permissions to remove from networking that would prevent a user from making changes
In the process of creating the custom role through the portal you can exclude some permissions .
In the screenshot for example i can add or remove the permission to delete an Azure Firewall Application Rule Collection . Another way to do that is also starting by reader role and add necessary write permissions . But as you see it can be a big management overhead if your goal is only to prevent changes ?
In my Opinion the simplest way is to add a lock and put a process to move the lock if necessary .
As contributor you can delete locks at the resource level but not at the subscription level (Only owners can ).
Hi Jeff Walzer ,
If you enable read only resource locks at resource group level or resource level, you can preven changes to firewall or virtual network .
Thx for the reply. Would locking a resource also prevent the users/groups who should have the ability makes changes, such as the security or network team?
Hi Jeff Walzer ,
Yes It will also prevent changes to the Firewalls and Virtual Network by anyone like network admin etc
There are basically two types of locks : 1) Read Only 2) Delete Lock
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Hi Jeff Walzer
Did you try locking azure resources?
More on : -
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources#who-can-create-or-delete-locks
Thx for the reply. Would locking a resource also prevent the users/groups who should have the ability makes changes, such as the security or network team?
ReadOnly Lock means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
You can read about it in detail here --> https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources#considerations-before-applying-locks
