Share via

Policy to block the creation of NSGs with rules that allow RDP or SSH access from the Internet

VELASCO Alan M. TENARIS 40 Reputation points
2023-09-08T17:48:21.2966667+00:00

I have been testing the Azure policy to block the creation of NSGs (Network Security Group) with rules that allow RDP or SSH access from the internet, I have noticed that it works correctly when tested with a private IP but when I use a public IP does not apply the Policy, could you support me on how to make it also apply in public IP?

My JSON policy:

{
    "mode": "all",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "in": "[parameters('deniedPorts')]"
                  },
                  {
                      "not": {
                          "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                          "notIn": "[parameters('deniedPorts')]"
                      }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "in": [
                      "*",
                      "Internet"
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {
      "deniedPorts": {
        "type": "Array",
        "metadata": {
          "displayName": "Ports to block",
          "description": "The inbound ports that should be blocked"
        }
      }
    }
  }
Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments
Answer accepted by question author
  1. Ryan Hill 30,331 Reputation points Microsoft Employee Moderator
    2023-09-13T23:09:56.7566667+00:00

    Hi @VELASCO Alan M. TENARIS

    When I used your provided policy, I got the same experience. However, I was able to get the deny working with the following policy:

    {
  "mode": "all",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
          "equals": "Allow"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
          "equals": "Inbound"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
              "in": [
                "22",
                "3389"
              ]
            }
          ]
        },
        {
          "not": {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
            "equals": "VirtualNetwork"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.