Question 221339 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Policy – Target Specific Entry in Array

I need to enable Network Policy (Route Table) for private endpoints in Azure. I’ve got a working Azure policy (shown below for reference), however this targets all subnets. Whilst this isn’t really an issue (as the setting only applies to private endpoints anyway), I’d prefer to be more targeted, just to prevent confusion and in case any future weird bugs.

What I’m looking to do is only perform the modification ONLY on subnets with a specific name (e.g. snet-plink) – is this possible? I’ve had a bit of a play around and reviewed the docs, but I’ve not been able to achieve this yet.

Current working (broad) policy shown below:

{
    "mode": "All",
    "policyRule": {
      "if": {
        "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
        "notIn": [
            "RouteTableEnabled",
            "Enabled"
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
              "value": "RouteTableEnabled"
            }
          ]
        }
      }
    },
    "parameters": {}
  }

I’ve looked to see if there is a selector option for the array (like you have with jmespath) but this doesn’t seem to exist with Azure policy. I’ve also explored count as an option, but again I don’t think this will help me unfortunately with the modify effect.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I've since had chance to spend some time playing with this and have come up with an approach that works.

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks/subnets"
        },
        {
          "field": "name",
          "equals": "snet-plink"
        },
        {
          "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies",
          "equals": "Disabled"
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies",
            "value": "RouteTableEnabled"
          }
        ]
      }
    }
  },
  "parameters": {}
}

  2. 0

    What I’m looking to do is only perform the modification ONLY on subnets with a specific name (e.g. snet-plink) – is this possible?

    Here is the updated policy, it will enable the Private Endpoint NetworkPolicies property for the subnet-name, if it is not already set to Enabled.

    In this policy, if the subnet equals subnet-name and the private endpoint network policy is not enabled in the same subnet, the policy will enable the route table policy in subnet.

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "Microsoft.Network/virtualNetworks/subnets[*].name",
          "equals": "snet-plink"
        },
        {
          "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
          "notIn": [
            "RouteTableEnabled",
            "Enabled"
          ]
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
            "value": "RouteTableEnabled"
          }
        ]
      }
    }
  },
  "parameters": {}
}

    Assign the policy to required scope and make sure to select a remediation task and a managed identity while policy assignment for enabling private endpoint network policy in subnet.

    enter image description here

    Policy is created with Remediation task and a Managed Identity as below.

    enter image description here

    Once assigned, the policy will audit the subnets. If the private endpoint network policy is not enabled in a subnet, it will initiate the enabling process using a remediation task.

    enter image description here

    Reference: AZURE POLICY TO ENABLE NETWORK POLICIES FOR PRIVATE ENDPOINTS by Pantelis Apostolidis

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search