Azure Blueprint: Allow resource only in specifc resource group

%3CLINGO-SUB%20id%3D%22lingo-sub-817282%22%20slang%3D%22en-US%22%3EAzure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-817282%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20use%20blueprint%20to%20govern%20azure%20subscriptions.%20Within%20the%20blueprint%20we%20would%20like%20to%20deploy%20some%20kind%20of%20%22core%20networking%22%20resource%20group%20containing%20a%20VNET%2C%20which%20we%20can%20achieve%20using%20ARM%20template.%20So%20far%20so%20good%2C%20but%20we%20would%20like%20to%20prevent%20other%20VNET's%20being%20deployed%20to%20the%20subscription.%20I%20guess%20it%20should%20be%20possible%20somehow%20using%20policy%20and%20exclude%20the%20%22core%20networking%22%20resource%20group%2C%20but%20I%20havn't%20found%20a%20way%20jet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-817282%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20blueprints%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-848284%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-848284%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299138%22%20target%3D%22_blank%22%3E%40abovethekloud%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAFAIK%20there's%20no%20alias%20for%20resource%20group%20name%20for%20policy%20evaluation.%3C%2FP%3E%0A%3CP%3EYou%20could%20restrict%20vNICs%20to%20a%20certain%20vNet%20using%20this%20example%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fsamples%2Fuse-approved-vnet-vm-nics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fsamples%2Fuse-approved-vnet-vm-nics%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EYou%20might%20want%20to%20enhance%20the%20example%20to%20allow%20an%20array%20of%20allowed%20vNets%20for%20your%20vNics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Michael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-880231%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-880231%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299138%22%20target%3D%22_blank%22%3E%40abovethekloud%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20policy%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fdefinition-structure%23value%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Evalue%20accessor%3C%2FA%3E%20and%20the%20resourcegroup()%20function.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESomething%20like%20(not%20tested)%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0A%20%20%22if%22%3A%20%7B%0A%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22field%22%3A%20%22type%22%2C%0A%20%20%20%20%20%20%20%20%22like%22%3A%20%22Microsoft.Network%2F*%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22value%22%3A%20%22%5BresourceGroup().name%5D%22%2C%0A%20%20%20%20%20%20%20%20%22notEquals%22%3A%20%22CoreNetworking%22%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%20%20%7D%2C%0A%20%20%22then%22%3A%20%7B%0A%20%20%20%20%22effect%22%3A%20%22deny%22%0A%20%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello all,

 

We would like to use blueprint to govern azure subscriptions. Within the blueprint we would like to deploy some kind of "core networking" resource group containing a VNET, which we can achieve using ARM template. So far so good, but we would like to prevent other VNET's being deployed to the subscription. I guess it should be possible somehow using policy and exclude the "core networking" resource group, but I havn't found a way jet.

 

 

2 Replies

@abovethekloud 

AFAIK there's no alias for resource group name for policy evaluation.

You could restrict vNICs to a certain vNet using this example:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/use-approved-vnet-vm-nics

You might want to enhance the example to allow an array of allowed vNets for your vNics.

 

-Michael

@abovethekloud 

 

For the policy, check out the value accessor and the resourcegroup() function.

 

Something like (not tested):

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "like": "Microsoft.Network/*"
      },
      {
        "value": "[resourceGroup().name]",
        "notEquals": "CoreNetworking"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}