Manage NSG association on Subnets via Azure Policy
In this blog article, we will cover how to deny the creation of a subnet in a Virtual Network if the subnet does not have a Network Security Group associated with it, using a custom Azure Policy.
You can follow the steps below to create a custom policy:
1) From the Azure portal, access Azure policy, then definitions blade.
2) Create a new policy definition.
3) Add the definition location (which subscription will be hosting this policy), Name, and description.
4) Set the category to use existing and select Networking (as below):
5) Then add the below policy definition into the rule field:
Note: you can adjust the below parameters as needed, also the below example excludes the following subnets. You can add more subnets of your choice.
"GatewaySubnet",
"AzureFirewallSubnet",
"AzureBastionSubnet",
"AzureFirewallManagementSubnet"
6) Then save the policy.
Now you can assign this policy as per your requirements.
1) From Azure policies page, and access definitions blade -> select the created custom policy, and click assign policy (you can assign on the Subscription level or a specific resource group depending on your business requirements).
2) To update the excluded subnet list at time of policy assignment. Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.
3) It will open the editor; update the subnet name you want to exclude and click save.
4) Click Next, and Next, update the "Non-compliance message" as per your requirement.
5) Click review + create and review the output. Once verified create the policy assignment. Policy assignment usually takes around 5-15 minutes to take effect.
To update the list of excluded subnets after the policy assignment.
1) From the Azure portal, access Azure policy, then Assignments blade and search the assignment.
2) Open the assignment by clicking on the name
3) Select Edit assignment
4) Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.
5) It will open the editor; update the subnet name you want to exclude and click save.
Disclaimer
- Please note that products and options presented in this article are subject to change. This article reflects custom policy for Azure Subnets in September 2024.
- If users have the required permissions, they can create exemptions for their resources, which makes this policy ineffective for those resources.
- Some subnets managed by Azure services may not require an NSG. Ensure these subnets are added to the excluded subnet list or use a policy exception as needed.
- It is highly recommended to test this policy in a non-production environment before applying it to your production environment to avoid any unintended disruptions and to make sure it meets your requirements.
References
Tutorial: Create a custom policy definition - Azure Policy | Microsoft Learn
Programmatically create policies - Azure Policy | Microsoft Learn
Troubleshoot common errors - Azure Policy | Microsoft Learn
Overview of Azure Policy - Azure Policy | Microsoft Learn
Published on:
Learn moreRelated posts
Creating an Agent with Actions in Azure AI Foundry
Azure AI Foundry is an Azure service where you can create agents using various LLMs (including your own). In this post we will look at how to ...
New Test Run Hub in Azure Test Plans
Delivering high-quality software is a necessity and that’s why Azure Test Plans has introduced the all-new Test Run Hub, an enabler for teams ...
Microsoft Teams: New SlimCore-based optimization for Microsoft Teams in VDI – support for MacOS on Citrix and Azure Virtual Desktops/Windows 365
This feature allows MAC endpoints to optimize Microsoft Teams in VDI environments with the new SlimCore-based media engine, providing an expan...
Microsoft Whiteboard: Azure to OneDrive migration progress update
Microsoft Whiteboard storage is migrating from Azure to OneDrive, starting February 2024 and completing by August 2025, with full deprecation ...
Copilot Studio: Azure AI Search Complete Setup Guide
Copilot Studio can use an Azure AI Search index as knowledge to answer Users questions ... The post Copilot Studio: Azure AI Search Complete S...
Microsoft Azure Fundamentals #1: Creating External Tenants in Entra ID: A Step-by-Step Guide
It is important to configure external tenants for different scenarios. In this post we can see how to create a tenant step by step so that it ...
Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025
Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponemen...
Azure Automation Custom Runtime Environments
A custom runtime environment is a way of defining a specific job execution environment for Azure Automation runbooks, including Microsoft Grap...
Dynamics 365 Customer Insights – Data – Export your data to Azure Data Lake Storage
We are announcing the general availability of the export to Azure Data Lake Storage (ADLS) feature in Dynamics 365 Customer Insights – Data on...
Dynamics 365 Business Central: Quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the domain (tenant) name without signing in
Hi, Readers.Today I would like to share another mini tip, how to quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the doma...