Azure Policy Definition – Restricting Public IP for NIC

1 minute read

It has been a while since my last blog post. There were a lot going on outside of work, I couldn’t find time to write, and my blog to-do list is getting longer. Finally things are settled down a little bit. I will try to tackle my list in the coming days. To get started, I will target the easiest ones first.

Few weeks ago, I had to write several custom Azure Policy definitions for a customer. One of them is to restrict Public IPs being provisioned for VMs in particular resource groups. I found a similar definition from the Azure Policy GitHub repo that restrict PIP except for one subnet ( I removed the subnet component from this example, and made it to restrict PIP being associated to a NIC:

Here’s the policy definition:

"policyRule": {
  "if": {
    "allOf": [
        "field": "type",
        "equals": "Microsoft.Network/networkInterfaces"
        "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
        "exists": true
  "then": {
    "effect": "deny"

It is located in my GitHub repo, where you can download or deploy directly to your environment via Azure portal:

Once the policy is assigned (ideally to a resource group), you will be blocked if you are trying to create a VM with public IP:


Leave a comment