Azure Policy to Restrict Storage Account Firewall Rules

Back in the Jan 2018, I posted a custom Azure Policy definition that restricts the creation of public-facing storage account – in another word, if the storage account you are creating is not attached to a virtual network Service Endpoint, the policy engine will block the creation of this storage account. You can find the original post here: https://blog.tyang.org/2018/01/08/restricting-public-facing-azure-storage-accounts-using-azure-resource-policy/. When a storage account is connected to a Service Endpoint, you can also white-list one or more IP address ranges to allow them accessing the storage account from the outside of your Azure virtual network (i.e. the Internet). Therefore, in order

Continue reading

Azure Policy–Restrict NICs From Connecting to Particular Subnets

I wrote this policy definition for a customer few weeks ago – to restrict VMs from connecting to particular subnets. The customer has several subnets that should not be used by VMs, i.e. dedicated subnet for Azure ADDS (which is not associated to any NSGs), or subnets that are using different NSGs, which normal users should not be using. Since the intension is not restricting users from using the entire VNet, but only particular subnets, we could not apply such restrictions using custom role definitions. Here’s the policy definition:

It is also located in my GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/restrict-vm-nic-from-connecting-to-subnet. From

Continue reading

Azure Policy Definition – Restricting Public IP for NIC

It has been a while since my last blog post. There were a lot going on outside of work, I couldn’t find time to write, and my blog to-do list is getting longer. Finally things are settled down a little bit. I will try to tackle my list in the coming days. To get started, I will target the easiest ones first. Few weeks ago, I had to write several custom Azure Policy definitions for a customer. One of them is to restrict Public IPs being provisioned for VMs in particular resource groups. I found a similar definition from the

Continue reading

Managing Azure VM Hybrid Use Benefit Configuration Using Azure Policy

The Azure Policy is a great tool to manage your standards and policies within your Azure subscriptions. In addition to the built-in policies from the Azure Portal, the product team also provides a public GitHub repository to share custom policy definitions to the community. At the time of writing this post, there are already 2 policy definitions in this GitHub repo for managing the Hybrid Use Benefit (BYO license) for Windows VMs: Enforce Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/enforce-hybrid-use-benefit Deny Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/deny-hybrid-use-benefit These 2 policy definitions are maturely exclusive. If you apply the Enforce policy, you will not be able

Continue reading

Restricting Public-Facing Azure Storage Accounts Using Azure Resource Policy

Background Back in September 2017, Microsoft has announced Virtual Network Service Endpoints for Azure Storage and Azure SQL at Ignite. This feature prevents Storage Accounts and Azure SQL Databases from being accessed from the public Internet. A customer had a requirement to enforce all storage accounts to be attached to VNets as part of their security policies. The Azure Resource Policy seems to be the logical solution for this requirement. In order to make this possible, I have contacted the Azure Policy product team, and thanks for their prompt response, this is now possible – although at the time of

Continue reading

Azure Resource Policy to Restrict ALL ASM Resources

I needed to find a way to restrict ALL Azure Service Manager (ASM, aka Classic) resources on the subscription level. Azure Resource Policy seems to be a logical choice. So I quickly developed a very simple Policy Definition: View the code on Gist. Once I have deployed the definition and assigned it to the subscription level (using PowerShell commands listed below), I could no longer deploy ASM resources:

i.e. when I tried to create a classic VNet, I could not pass the validation:

Continue reading
%d bloggers like this: