Deny inbound NSG Rule creation via Azure Policy
In this blog article, we will cover how to deny the creation of inbound Network Security Group Rules if the inbound NSG Rule contains Internet, Any, or 0.0.0.0/0 as source and the destination port contains 22, 3389 or *".
Note: If users have the required permissions, they can create exemption for their resources. Which make this policy ineffective for that resource.
Custom Policy Definition creation
You can follow the steps below to create a custom policy:
1) From the Azure portal, access Azure policy, then definitions blade.
2) Create a new policy definition.
3) Add the definition location (which subscription will be hosting this policy), Name, and description.
4) Set the category to use existing and select Networking (as below):
5) Then add the below policy definition into the rule field:
Note: you can add more default ports for which this policy will be evaluated. These are the default port used in this policy.
"*",
"22",
"3389",
6) Then save the policy.
Policy Assignment
Now you can assign this policy as per your requirements.
1) From Azure policies page, and access definitions blade -> select the created custom policy, and click assign policy (you can assign on the Subscription level or a specific resource group depending on your business requirements).
2) To update the port list at time of policy assignment. Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "blocked ports" box.
3) It will open the editor; update the ports you want to include in this policy and click save.
4) Click Next, and Next, update the "Non-compliance message" as per your requirement.
5) Click review + create and review the output. Once verified create the policy assignment.
Policy assignment usually takes around 5-15 minutes to take effect.
To update the list of ports after the policy assignment. Edit the policy assignment, go to the parameters tab and edit the ports.
Disclaimer
Please note that products and options presented in this article are subject to change. This article reflects custom policy for Azure Network Security Rules in September 2024.
If users have the required permissions, they can create exemption for their resources. Which make this policy ineffective for that resource.
References
Tutorial: Create a custom policy definition - Azure Policy | Microsoft Learn
Programmatically create policies - Azure Policy | Microsoft Learn
Published on:
Learn moreRelated posts
How to secure access to an Azure Container registry with a Managed Identity and RBAC
This post is part of a series How to deploy Azure LogAnalytics Workspace and link Application Insights to it How to use Azure Container Regi...
Unified Routing – Diagnostics in Azure
You may (or may not) be aware that the diagnostics option in Unified Routing has been deprecated. It is being replaced by diagnostics in Azure...
Service health and Message center: Azure Information Protection consolidation
This post is about the consolidation of Azure Information Protection communications under Microsoft Purview in Service Health and Message Cent...
Switch to Azure Business Continuity Center for your at scale BCDR management needs
In response to the evolving customer requirements and environments since COVID-19, including the shift towards hybrid work models and the incr...
Optimizing Azure Table Storage: Automated Data Cleanup using a PowerShell script with Azure Automate
Scenario This blog’s aim is to manage Table Storage data efficiently. Imagine you have a large Azure Table Storage that accumulates logs from ...
Microsoft Fabric: Resolving Capacity Admin Permission Issues in Automate Capacity Scaling with Azure LogicApps
A while back, I published a blogpost explaining how to use Azure LogicApps to automate scaling Microsoft Fabric F capacities under the PAYG (P...
The Azure Storage product group is heading to the SNIA Developer Conference 2024
The Azure Storage product group is heading to the SNIA Developer Conference (SDC) 2024 in Santa Clara, California, USA from September 16th thr...
ISSUE RESOLVED: Azure Lab Services - lab plan outage - September 12, 2024
Hello, Azure Lab Services is currently experiencing an outage affecting customers using Lab Plans for their service. Customers using Lab Accou...