Aug 22 2019 07:29 AM
Hello all,
We would like to use blueprint to govern azure subscriptions. Within the blueprint we would like to deploy some kind of "core networking" resource group containing a VNET, which we can achieve using ARM template. So far so good, but we would like to prevent other VNET's being deployed to the subscription. I guess it should be possible somehow using policy and exclude the "core networking" resource group, but I havn't found a way jet.
Sep 11 2019 02:18 AM
AFAIK there's no alias for resource group name for policy evaluation.
You could restrict vNICs to a certain vNet using this example:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/use-approved-vnet-vm-nics
You might want to enhance the example to allow an array of allowed vNets for your vNics.
-Michael
Sep 27 2019 05:30 PM
For the policy, check out the value accessor and the resourcegroup() function.
Something like (not tested):
{
"if": {
"allOf": [
{
"field": "type",
"like": "Microsoft.Network/*"
},
{
"value": "[resourceGroup().name]",
"notEquals": "CoreNetworking"
}
]
},
"then": {
"effect": "deny"
}
}