Loading...

Deny inbound NSG Rule creation via Azure Policy

Deny inbound NSG Rule creation via Azure Policy

 

In this blog article, we will cover how to deny the creation of inbound Network Security Group Rules if the inbound NSG Rule contains  Internet, Any, or 0.0.0.0/0 as source and the destination port contains 22, 3389 or *".

 

Note: If users have the required permissions, they can create exemption for their resources. Which make this policy ineffective for that resource.

 

Custom Policy Definition creation 


You can follow the steps below to create a custom policy:

1) From the Azure portal, access Azure policy, then definitions blade.
2) Create a new policy definition.

 

pic1.png

 

3) Add the definition location (which subscription will be hosting this policy), Name, and description.
4) Set the category to use existing and select Networking (as below):

 

pic2.png

 

5) Then add the below policy definition into the rule field:

Note: you can add more default ports for which this policy will be evaluated. These are the default port used in this policy.
"*",
"22",
"3389",

 

 

{ "mode": "All", "parameters": { "blockedports": { "type": "Array", "metadata": { "displayName": "blocked ports", "description": "The list of ports to block" }, "defaultValue": [ "*", "22", "3389" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", "in": "[parameters('blockedports')]" }, { "not": { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", "in": "[parameters('blockedports')]" } } ] }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", "in": [ "*", "Internet", "0.0.0.0/0" ] }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", "in": [ "*", "Internet", "0.0.0.0/0" ] } ] } ] } ] }, "then": { "effect": "deny" } } }

 

 

6) Then save the policy.

 

Policy Assignment


Now you can assign this policy as per your requirements. 

1) From Azure policies page, and access definitions blade -> select the created custom policy, and click assign policy (you can assign on the Subscription level or a specific resource group depending on your business requirements).

 

pic3.png

pic4.png

 

2) To update the port list at time of policy assignment. Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "blocked ports" box.

 

pic5.png

 

3) It will open the editor; update the ports you want to include in this policy and click save.

 

pic6.png

 

4) Click Next, and Next, update the "Non-compliance message" as per your requirement.

 

pic7.png

 

5) Click review + create and review the output. Once verified create the policy assignment.

Policy assignment usually takes around 5-15 minutes to take effect.


To update the list of ports after the policy assignment. Edit the policy assignment, go to the parameters tab and edit the ports.

 

Disclaimer
Please note that products and options presented in this article are subject to change. This article reflects custom policy for Azure Network Security Rules in September 2024.

If users have the required permissions, they can create exemption for their resources. Which make this policy ineffective for that resource.


References

Tutorial: Create a custom policy definition - Azure Policy | Microsoft Learn

Programmatically create policies - Azure Policy | Microsoft Learn

Troubleshoot common errors - Azure Policy | Microsoft Learn

Overview of Azure Policy - Azure Policy | Microsoft Learn

Published on:

Learn more
Azure Infrastructure Blog articles
Azure Infrastructure Blog articles

Azure Infrastructure Blog articles

Share post:

Related posts

Confluent Cloud Releases Managed V2 Kafka Connector for Azure Cosmos DB

This article was co-authored by Sudhindra Sheshadrivasan, Staff Product Manager at Confluent. We’re excited to announce the General Availabili...

2 hours ago

Now in Public Preview: Azure Functions Trigger for Azure Cosmos DB for MongoDB vCore

The Azure Cosmos DB trigger for Azure Functions is now in public preview—available for C# Azure Functions using Azure Cosmos DB for MongoDB vC...

6 hours ago

Now Available: Migrate from RU to vCore for Azure Cosmos DB for MongoDB via Azure Portal

We are thrilled to introduce a cost-effective, simple, and efficient solution for migrating from RU-based Azure Cosmos DB for MongoDB to vCore...

22 hours ago

Generally Available: Seamless Migration from Serverless to Provisioned Throughput in Azure Cosmos DB

We are excited to announce the general availability (GA) of a highly requested capability in Azure Cosmos DB: the ability to migrate from serv...

1 day ago

Public Preview: Shape and Control Workloads with Throughput Buckets in Azure Cosmos DB

Imagine your application is processing customer checkouts in real-time, while a background process synchronizes data for reporting. Suddenly, ...

1 day ago

Microsoft Entra ID integration with Azure Cosmos DB for MongoDB (vCore)

Security is no longer a nice-to-have—it’s a foundational requirement for any cloud-native architecture. As organizations adopt managed databas...

1 day ago

How to use the Azure AI Foundry connector in Power Apps

Yesterday I looked at how to use the Azure AI Foundry connector in Power Automate today I'm doing the same within Power Apps, creating a Q�...

1 day ago

DiskANN and Filtered Vector Search are Now Generally Available in Azure Cosmos DB for MongoDB (vCore)

We’re excited to announce general availability of DiskANN and Filtered Vector Search on Azure Cosmos DB for MongoDB (vCore), starting with M30...

2 days ago

Now in Preview: Azure Cosmos DB Fleets

We’re excited to announce the preview of Azure Cosmos DB fleets. Azure Cosmos DB fleets address common challenges that developers face when bu...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy