Deny Security Rules deletion

%3CLINGO-SUB%20id%3D%22lingo-sub-1529495%22%20slang%3D%22en-US%22%3EDeny%20Security%20Rules%20deletion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529495%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20a%20policy%20which%20prevents%20users%20from%20making%20any%20creation%2Fmodification%2Fdeletion%20of%20priority%20100%20NSG%20security%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%3Bve%20create%20policy%20as%20below.%20While%20it%20prevents%20creation%2Fmodification%20of%20priority%20100%20rule%2C%20it%20still%20allows%20user%20to%20delete%20it.%20Is%20deletion%20not%20covered%20under%20deny%20policy.%20Do%20we%20have%20any%20MS%20doc%20which%20says%20that.%20If%20not%2C%20is%20there%20anything%20that%20needs%20to%20be%20added%2C%20to%20prevent%20deletion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22mode%22%3A%20%22All%22%2C%3CBR%20%2F%3E%22policyRule%22%3A%20%7B%3CBR%20%2F%3E%22if%22%3A%20%7B%3CBR%20%2F%3E%22allof%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22field%22%3A%20%22type%22%2C%3CBR%20%2F%3E%22equals%22%3A%20%22Microsoft.Network%2FnetworkSecurityGroups%2FsecurityRules%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22field%22%3A%20%22Microsoft.Network%2FnetworkSecurityGroups%2FsecurityRules%2Fpriority%22%2C%3CBR%20%2F%3E%22equals%22%3A%20100%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22then%22%3A%20%7B%3CBR%20%2F%3E%22effect%22%3A%20%22deny%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22parameters%22%3A%20%7B%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20tried%20%22Microsoft.Network%2FnetworkSecurityGroups%2FsecurityRules%2F*%22%20-%20doesnt%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1529495%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPolicy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531053%22%20slang%3D%22en-US%22%3ERe%3A%20Deny%20Security%20Rules%20deletion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F732067%22%20target%3D%22_blank%22%3E%40trusthonda%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Policy%20is%20not%20meant%20for%20what%20you%20want%20to%20accomplish.%20You%20should%20instead%20use%20a%20Delete%20Resource%20Lock%20on%20the%20NSG%20you%20want%20to%20protect%20from%20rules%20deletion.%20More%20details%20-ERR%3AREF-NOT-FOUND-here.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

I'm trying to create a policy which prevents users from making any creation/modification/deletion of priority 100 NSG security rule.

 

I;ve create policy as below. While it prevents creation/modification of priority 100 rule, it still allows user to delete it. Is deletion not covered under deny policy. Do we have any MS doc which says that. If not, is there anything that needs to be added, to prevent deletion.

 

{
"mode": "All",
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"equals": 100
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

 

 

 

I've also tried "Microsoft.Network/networkSecurityGroups/securityRules/*" - doesnt work.

1 Reply

@trusthonda 

 

Azure Policy is not meant for what you want to accomplish. You should instead use a Delete Resource Lock on the NSG you want to protect from rules deletion. More details here.