Created
April 11, 2024 09:19
-
-
Save cloudchristoph/7c533d31e4973ae3a3b1f65d55739e34 to your computer and use it in GitHub Desktop.
Azure Policy: Deny Service Endpoints on subnets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "Deny Service Endpoints on subnets", | |
| "description": "This Policy will deny the enablement of Service Endpoints on subnets. This will also prevent PaaS resources such as Azure Storage from being able to add this subnet to their firewall allowed list.", | |
| "mode": "All", | |
| "policyRule": { | |
| "if": { | |
| "anyOf": [ | |
| { | |
| "allOf": [ | |
| { | |
| "field": "type", | |
| "equals": "Microsoft.Network/virtualNetworks" | |
| }, | |
| { | |
| "count": { | |
| "field": "Microsoft.Network/virtualNetworks/subnets[*]", | |
| "where": { | |
| "not": { | |
| "field": "Microsoft.Network/virtualNetworks/subnets[*].serviceEndpoints[*].service", | |
| "notLike": "*" | |
| } | |
| } | |
| }, | |
| "greater": 0 | |
| } | |
| ] | |
| }, | |
| { | |
| "allOf": [ | |
| { | |
| "field": "type", | |
| "equals": "Microsoft.Network/virtualNetworks/subnets" | |
| }, | |
| { | |
| "not": { | |
| "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", | |
| "notLike": "*" | |
| } | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| "then": { "effect": "[parameters('effect')]" } | |
| }, | |
| "parameters": { | |
| "effect": { | |
| "type": "String", | |
| "metadata": { | |
| "displayName": "Effect", | |
| "description": "Enable or disable the execution of the policy" | |
| }, | |
| "allowedValues": ["Deny", "Disabled"], | |
| "defaultValue": "Deny" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment