I have a use case where I do not want any resource to connect to my VNET except a few allowed ones. We are designing a secured containerized environment for our customers with very strict access control policies. However, we are not seeing the policy triggered for the network join operation.
For testing purpose, I used the following policy just to capture and deny all the operations on virtual network and assigned this policy to the resource group scope where my VNET is present:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
"then": {
"effect": "deny"
}
}
}
After this policy is assigned to my resource group, I am not able to create a VNETs in my resource group, however, I am still able to join an existing VNET in this resource group. Looks like policy is not even getting evaluated/triggered for the network join action. How can we deny this action?
Network join operations typically involve a resource connecting or associating with a
virtual network, and this may not be directly governed byAzure Policyin the way you're expecting. Instead, network joins often fall into the realm of network security controls, where you'd use features likeNetwork Security Groups, Azure Firewall, or other network-related services.Network Security Groups (NSGs): : Configure NSG on your subnets to control inbound and outbound traffic.
All traffic coming from the IP address
10.0.1.0to the specifiedVNetwill be blocked. In this way, you can restrict resources to theVNetand allow only specific IP address ranges that are supposed to join the network