How to prevent changes to the Firewalls and virtual network section for resources?

Iron Contributor

Is it possible to prevent someone from making changes to the configuration of virtual networks settings, specifically not allowing someone to add IP addresses for access via a Policy or a custom IAM role?

 

I've searched through the policies and have yet to find anything that is associated, but perhaps I am missing the policy or policies to prevent changes? If no polices exist, would I need to create a custom role for users for RGs so they can't make changes to the Firewalls and virtual network section?

 

Also, are changes made to any settings in the virtual networks settings section logged?

9 Replies

Hi @Jeff Walzer ,

 

If you enable read only resource locks at resource group level or resource level, you can preven changes to firewall or virtual network .

@Jeff Walzer 

Hi  to prevent changes on any resources you have to define  an IAM strategy for your resources 

 

Giving Owner role to those who need full access 

Giving Contributor role to those who need to modify resources 

Giving Reader role for those who need to read only 

Giving Custom roles for specific needs  

Giving role tied to resource for specific operations ( Virtual machine contributor for example )

 

You may know that roles are inherited from subscription and resource group so you need to consider that and finally create a map to be able to retrieve who have access to which and then revoke if necessary. 

 

Once you have done that you can  add read only lock at the resource group level so only people with right access will be able to remove them(That's why i suggest to identify those people above) . This lock will prevent any changes on any resource in resource group scope .  

 

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources#who-can-crea...

@atulram 

 

Thx for the reply. Would locking a resource also prevent the users/groups who should have the ability makes changes, such as the security or network team? 

@Sagar_Lad 

 

Thx for the reply. Would locking a resource also prevent the users/groups who should have the ability makes changes, such as the security or network team?

@ibnmbodji 

 

Thx for the info on IAM.

 

We looked at custom roles, but there are thousands of permissions per role and I have yet to find any documentation that specifically lists what permissions to remove from networking that would prevent a user from making changes

@Jeff Walzer 

 

In the process of creating the custom role through the portal you can exclude some permissions . 

In the screenshot for example i can add  or remove the permission to delete an Azure Firewall Application Rule Collection . Another way to do that is also starting by reader role and add necessary write permissions . But as you see it can be a big management overhead if your goal is only to prevent changes ? 

 

In my Opinion the simplest way is to add a lock and put a process to move the lock if necessary .

As contributor  you can delete locks at the resource level but not at the subscription level (Only owners can ). 

@Jeff Walzer 

ReadOnly Lock means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

 

You can read about it in detail here --> link

Hi @Jeff Walzer ,

 

Yes It will also prevent changes to the Firewalls and Virtual Network by anyone like network admin etc

 

There are basically two types of locks : 1) Read Only 2) Delete Lock

 

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources