Home

Azure Blueprint: Allow resource only in specifc resource group

%3CLINGO-SUB%20id%3D%22lingo-sub-817282%22%20slang%3D%22en-US%22%3EAzure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-817282%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20use%20blueprint%20to%20govern%20azure%20subscriptions.%20Within%20the%20blueprint%20we%20would%20like%20to%20deploy%20some%20kind%20of%20%22core%20networking%22%20resource%20group%20containing%20a%20VNET%2C%20which%20we%20can%20achieve%20using%20ARM%20template.%20So%20far%20so%20good%2C%20but%20we%20would%20like%20to%20prevent%20other%20VNET's%20being%20deployed%20to%20the%20subscription.%20I%20guess%20it%20should%20be%20possible%20somehow%20using%20policy%20and%20exclude%20the%20%22core%20networking%22%20resource%20group%2C%20but%20I%20havn't%20found%20a%20way%20jet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-817282%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20blueprints%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-848284%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-848284%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299138%22%20target%3D%22_blank%22%3E%40abovethekloud%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAFAIK%20there's%20no%20alias%20for%20resource%20group%20name%20for%20policy%20evaluation.%3C%2FP%3E%0A%3CP%3EYou%20could%20restrict%20vNICs%20to%20a%20certain%20vNet%20using%20this%20example%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fsamples%2Fuse-approved-vnet-vm-nics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fsamples%2Fuse-approved-vnet-vm-nics%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EYou%20might%20want%20to%20enhance%20the%20example%20to%20allow%20an%20array%20of%20allowed%20vNets%20for%20your%20vNics.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Michael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-880231%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Blueprint%3A%20Allow%20resource%20only%20in%20specifc%20resource%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-880231%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299138%22%20target%3D%22_blank%22%3E%40abovethekloud%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20policy%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fdefinition-structure%23value%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Evalue%20accessor%3C%2FA%3E%20and%20the%20resourcegroup()%20function.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESomething%20like%20(not%20tested)%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0A%20%20%22if%22%3A%20%7B%0A%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22field%22%3A%20%22type%22%2C%0A%20%20%20%20%20%20%20%20%22like%22%3A%20%22Microsoft.Network%2F*%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22value%22%3A%20%22%5BresourceGroup().name%5D%22%2C%0A%20%20%20%20%20%20%20%20%22notEquals%22%3A%20%22CoreNetworking%22%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%20%20%7D%2C%0A%20%20%22then%22%3A%20%7B%0A%20%20%20%20%22effect%22%3A%20%22deny%22%0A%20%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
abovethekloud
New Contributor

Hello all,

 

We would like to use blueprint to govern azure subscriptions. Within the blueprint we would like to deploy some kind of "core networking" resource group containing a VNET, which we can achieve using ARM template. So far so good, but we would like to prevent other VNET's being deployed to the subscription. I guess it should be possible somehow using policy and exclude the "core networking" resource group, but I havn't found a way jet.

 

 

2 Replies
Highlighted

@abovethekloud 

AFAIK there's no alias for resource group name for policy evaluation.

You could restrict vNICs to a certain vNet using this example:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/use-approved-vnet-vm-nics

You might want to enhance the example to allow an array of allowed vNets for your vNics.

 

-Michael

Highlighted

@abovethekloud 

 

For the policy, check out the value accessor and the resourcegroup() function.

 

Something like (not tested):

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "like": "Microsoft.Network/*"
      },
      {
        "value": "[resourceGroup().name]",
        "notEquals": "CoreNetworking"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

  

Related Conversations