■Details of the scenario you tried and the problem that is occurring
Based on the description of the policy for restricting network access in the Azure AI service below, “When network access is restricted, only authorized networks will be able to access the service”, I thought that the policy will be compliant when the network configuration is the selected network configuration.
Name(Azure portal) | Azure AI Services resources should restrict network access
Description | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.
Effect(s) | Audit, Deny, Disabled
Version(GitHub) | 3.2.0
However, in actual operation, “Microsoft.Search/searchServices” is in a non-compliant state.
I understand that this policy works under the following conditions, but I believe the Japanese Ver description does not explain the details of how this policy works well.
・Compliant if CognitiveServices/accounts public network access is not “disabled” and networkAcls is not “denied”.
・Compliant if public network access for Microsoft.Search/searchServices is not “disabled
Additionally, although listed as an Azure AI service resource, resource types such as “Microsoft.BotService/botServices” are not covered by this policy, and as stated in the policy name of the policy in question, it would be better to have a policy that covers all “Azure It would be more convenient to have a policy that covers all “Azure AI Services resources” as stated in the policy name of the policy.
We also checked other embedded policies and found none that would be compliant if the selected network were configured.
■Verbose logs showing the problem
N/A
■Suggested solution to the issue
・Modify the description in the policy to explain how the current policy works.
・Publish a built-in policy that restricts network access for all Azure AI Services resources (also compliant for selected IP address situations) or publish a built-in policy that restricts network access for each resource type.
■If policy is Guest Configuration - details about target node
N/A
■Details of the scenario you tried and the problem that is occurring
Based on the description of the policy for restricting network access in the Azure AI service below, “When network access is restricted, only authorized networks will be able to access the service”, I thought that the policy will be compliant when the network configuration is the selected network configuration.
URL : List of built-in policy definitions - Azure Policy | Microsoft Learn
Name(Azure portal) | Azure AI Services resources should restrict network access Description | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Effect(s) | Audit, Deny, Disabled Version(GitHub) | 3.2.0
However, in actual operation, “Microsoft.Search/searchServices” is in a non-compliant state.
I understand that this policy works under the following conditions, but I believe the Japanese Ver description does not explain the details of how this policy works well.
・Compliant if CognitiveServices/accounts public network access is not “disabled” and networkAcls is not “denied”.
・Compliant if public network access for Microsoft.Search/searchServices is not “disabled
Additionally, although listed as an Azure AI service resource, resource types such as “Microsoft.BotService/botServices” are not covered by this policy, and as stated in the policy name of the policy in question, it would be better to have a policy that covers all “Azure It would be more convenient to have a policy that covers all “Azure AI Services resources” as stated in the policy name of the policy.
We also checked other embedded policies and found none that would be compliant if the selected network were configured.
■Verbose logs showing the problem N/A
■Suggested solution to the issue
・Modify the description in the policy to explain how the current policy works.
・Publish a built-in policy that restricts network access for all Azure AI Services resources (also compliant for selected IP address situations) or publish a built-in policy that restricts network access for each resource type.
■If policy is Guest Configuration - details about target node N/A