Closed xuwenjian1995 closed 2 years ago
jtracey93
commented
2 years ago Hi @xuwenjian1995,
Is it this policy you were looking for Deny-VNET-Peer-Cross-Sub (https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peer-Cross-Sub.html)?
This is here in policies.json https://github.com/Azure/Enterprise-Scale/blob/83f7e5566db7ed2971120e707a71d76df440c72f/eslzArm/managementGroupTemplates/policyDefinitions/policies.json#L7270
Let us know if that is what you were looking for 👍
Thanks
Jack
jtracey93
commented
2 years ago We are also working on #935 to add a policy that allows peering only to an approved list of VNETs that should be available soon, but you can see in the PR already if needed sooner
xuwenjian1995
commented
2 years ago Hi @jtracey93,
Thanks for checking this issue.
I am afraid this is not the policy that I am looking for. We are looking for a policy that custom ESLZ policy prevents two Virtual Networks (VNets) peered with each other as they can communicate with each other via Huv VNet. By forcing VNets to communicate with each other through Hub makes it possible to control and monitor network connections. Network topology is simplified from overall maintenance perspective as well.
jtracey93
commented
2 years ago Hey @xuwenjian1995,
These are the policies we have for VNET peering blocking. There aren't any others.
Depending on whether you are trying to stop VNET peering between VNETs in different subscriptions or in the same VNET the 2 policies we have cover these scenarios. Then based on where you assign them in the hierarchy will impact where they apply to following the inheritance model in Azure.
The only other policy I can think that may be what you are looking for is the Deploy-VNET-HubSpoke policy (https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/deploy-lz-vnet.md) which creates a VNET and the peering back to the hub from a landing zone subscription. You'll also need to combine this with a policy to configure the UDRs on the VNET like Deploy-Custom-Route-Table (https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Custom-Route-Table.html) which is documented further here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/deploy-policy-driven-routing.md
By using the above 2 policies you can achieve what you are looking for. These policy definitions are included in ESLZ.
Hope this helps.
Thanks
Jack
ghost
commented
2 years ago This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 5 days.
jtracey93
commented
2 years ago Closing as stale. Please re-open if still required.
This is not bug report but need help on finding a ESLZ policy.
According to the azpol.md: https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/azpol.md#provision-hub-and-spoke-network-topology
There is ustom ESLZ policy prevents two Virtual Networks (VNets) peered with each other. However, I was not able to find it in the policies.json:
https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/treyresearch/armTemplates/auxiliary/policies.json
I did find a policy to deny VNET peering from line line 10122 to line 10157 but it simply deny ALL VNET peering not to prevent two "spoke" Virutal Networks peered with each other.
Please kindly help, thank you very much!