cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deny Security Rules deletion

trusthonda
Copper Contributor

‎Jul 17 2020 09:37 AM

‎Jul 17 2020 09:37 AM

Deny Security Rules deletion

Hi,

I'm trying to create a policy which prevents users from making any creation/modification/deletion of priority 100 NSG security rule.

 

I;ve create policy as below. While it prevents creation/modification of priority 100 rule, it still allows user to delete it. Is deletion not covered under deny policy. Do we have any MS doc which says that. If not, is there anything that needs to be added, to prevent deletion.

 

{
"mode": "All",
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"equals": 100
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

 

 

 

I've also tried "Microsoft.Network/networkSecurityGroups/securityRules/*" - doesnt work.

Labels:
2,186 Views
0 Likes
1 Reply
Reply
1 Reply
hspinto

‎Jul 18 2020 09:24 AM

‎Jul 18 2020 09:24 AM

Re: Deny Security Rules deletion

@trusthonda 

 

Azure Policy is not meant for what you want to accomplish. You should instead use a Delete Resource Lock on the NSG you want to protect from rules deletion. More details here.

0 Likes
Reply