Loading...

Manage NSG association on Subnets via Azure Policy

Manage NSG association on Subnets via Azure Policy

 

In this blog article, we will cover how to deny the creation of a subnet in a Virtual Network if the subnet does not have a Network Security Group associated with it, using a custom Azure Policy.

You can follow the steps below to create a custom policy:

1) From the Azure portal, access Azure policy, then definitions blade.
2) Create a new policy definition.

 

pic1.png

 

3) Add the definition location (which subscription will be hosting this policy), Name, and description.
4) Set the category to use existing and select Networking (as below):

 

pic2.png

 

5) Then add the below policy definition into the rule field:

Note: you can adjust the below parameters as needed, also the below example excludes the following subnets. You can add more subnets of your choice.
"GatewaySubnet",
"AzureFirewallSubnet",
"AzureBastionSubnet",
"AzureFirewallManagementSubnet"

 

 

 

 

 

 

 

{ "mode": "All", "parameters": { "excludedSubnets": { "type": "Array", "metadata": { "displayName": "Excluded subnets", "description": "The list of subnet names to exclude from the policy" }, "defaultValue": [ "GatewaySubnet", "AzureFirewallSubnet", "AzureBastionSubnet", "AzureFirewallManagementSubnet", "YourCustomSubnet" ] } }, "policyRule": { "if": { "anyOf": [ { "allOf": [ { "field": "type", "equals": "Microsoft.Network/virtualNetworks" }, { "not": { "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id", "exists": true } }, { "field": "Microsoft.Network/virtualNetworks/subnets[*].name", "notIn": "[parameters('excludedSubnets')]" } ] }, { "allOf": [ { "field": "type", "equals": "Microsoft.Network/virtualNetworks/subnets" }, { "not": { "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", "exists": true } }, { "field": "name", "notIn": "[parameters('excludedSubnets')]" } ] } ] }, "then": { "effect": "deny" } } }

 

 

 

 

 

 

 

6) Then save the policy.

Now you can assign this policy as per your requirements.

1) From Azure policies page, and access definitions blade -> select the created custom policy, and click assign policy (you can assign on the Subscription level or a specific resource group depending on your business requirements).

 

pic3.png

 

 

 

2) To update the excluded subnet list at time of policy assignment. Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.

 

pic4.png

 

 

 

3) It will open the editor; update the subnet name you want to exclude and click save.

 

pic5.png

 

 

 

4) Click Next, and Next, update the "Non-compliance message" as per your requirement.

 

pic6.png

 

 

5) Click review + create and review the output. Once verified create the policy assignment. Policy assignment usually takes around 5-15 minutes to take effect.


To update the list of excluded subnets after the policy assignment.

 

1) From the Azure portal, access Azure policy, then Assignments blade and search the assignment.
2) Open the assignment by clicking on the name

pic7.png

 

3) Select Edit assignment

 

pic8.png

 

4) Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.

 

pic9.png

 

5) It will open the editor; update the subnet name you want to exclude and click save.

pic10.png

 

Disclaimer

  • Please note that products and options presented in this article are subject to change. This article reflects custom policy for Azure Subnets in September 2024.
  • If users have the required permissions, they can create exemptions for their resources, which makes this policy ineffective for those resources.
  • Some subnets managed by Azure services may not require an NSG. Ensure these subnets are added to the excluded subnet list or use a policy exception as needed.
  • It is highly recommended to test this policy in a non-production environment before applying it to your production environment to avoid any unintended disruptions and to make sure it meets your requirements.

 

References

Tutorial: Create a custom policy definition - Azure Policy | Microsoft Learn

Programmatically create policies - Azure Policy | Microsoft Learn

Troubleshoot common errors - Azure Policy | Microsoft Learn

Overview of Azure Policy - Azure Policy | Microsoft Learn

 

Published on:

Learn more
Azure Networking Blog articles
Azure Networking Blog articles

Azure Networking Blog articles

Share post:

Related posts

Announcing the new Azure DevOps Server RC Release

We’re excited to announce the release candidate (RC) of Azure DevOps Server, bringing new features previously available in our hosted version....

1 day ago

How to Integrate Azure Service Bus with Microsoft Dynamics 365 CRM Step by Step with Example?

Keeping data flowing between applications is critical in today’s connected business world. Organizations using Microsoft Dynamics 365 CR...

4 days ago

Enhancing Secure Sign-Ins with Temporary Access Pass in Azure Active Directory

Introduction While working on improving user account recovery scenarios, a common challenge often arises: how to securely allow a user to sign...

5 days ago

Azure SDK Release (September 2025)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (September 202...

6 days ago

Batch Processing Triggered Pipeline Runs in Azure Synapse

This post describes a pattern for batch processing triggered pipeline runs in Azure Synapse

7 days ago

Reliably refreshing a Semantic Model from Azure Data Factory or Synapse Pipelines

This post describes a pattern for reliably refreshing Power BI semantic models from Azure Data Factory or Azure Synapse Pipelines.

7 days ago

Power Pages Fundamentals #24: Boosting Portal Security with Azure Single Sign-On: Quick Read Series

Contoso Motors is a large automotive service company.They have built a Power Pages customer portal for their external partners and customers t...

8 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy