deny-nsgs-with-rules-with-source-any doesnt seem to be working as expected

Azure / Community-Policy

This repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.

MIT License

615 stars 322 forks source link

deny-nsgs-with-rules-with-source-any doesnt seem to be working as expected #220

Closed asifkd012020 closed 1 year ago

asifkd012020 commented 2 years ago

https://github.com/Azure/Community-Policy/blob/master/Policies/Network/deny-nsgs-with-rules-with-source-any/azurepolicy.json

I have tried using this policy in deny mode and looks like it doesnt work. I was able to create rules with any(*) source on inbound rules in NSG. Have you guys come across issues with NSG policy rules?

SebastianClaesson commented 1 year ago

I believe this policy will not deny any created/updated child resources of the Network Security Group. It's perfect for auditing, but if you want an effective deny rule I suggest you use this: https://github.com/Azure/Community-Policy/pull/260

I created a Pull request with an Azure Policy to manage these settings.

The other policy should perhaps be moved or have it's parameters changed to Disabled/Audit.

ping @techlake :)

techlake commented 1 year ago

Cleaning up old issues (closing)