cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure policy for Key Vault network rules

clouddan
Copper Contributor

‎Aug 11 2021 09:09 AM - edited ‎Aug 12 2021 05:28 AM

‎Aug 11 2021 09:09 AM - edited ‎Aug 12 2021 05:28 AM

Azure policy for Key Vault network rules

Hi,

I am working on a policy to control the firewall for Azure key vault. I am looking to do the below:

Ensure that the firewall is enabled for the keyvault,
Allow only specific IP addresses to be added to the keyvault,
Allow the list of IP addresses to be empty.

I have been able to get the first 2 working perfectly, but seem to keep falling down when trying to delete any IP addresses from the list.

The policy I currently have is:

"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"allOf": [
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notIn": "[[parameters('allowedIPAddresses')]"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notEquals": ""
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}



As far as I can see I believe this should work?

Thanks

Dan

Labels:
1,716 Views
0 Likes
1 Reply
Reply
1 Reply
gnanapavuluri

‎Sep 02 2021 05:11 AM

‎Sep 02 2021 05:11 AM

Re: Azure policy for Key Vault network rules

@clouddan 

 

try this condition

{
 "value": "[length(field('Microsoft.KeyVault/vaults/networkAcls.ipRules'))]",
 "notEquals": "0"
 }
0 Likes
Reply