I am trying to stop users that arent global admins from creating new public ips and assigning them to vms or nics. But I dont want to affect the existing assigned ips.
I think the best way to do it is with a policy.
I found this policy that block public ips in all resource groups that arent specified but I dont know if it will affect the existing ones
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
"exists": true
},
{
"value": "[resourceGroup().name]",
"notEquals": "resource-group-name"
}
]
},
"then": {
"effect": "deny"
}
}
}
- A related article: https://blog.nillsf.com/index.php/2019/11/02/using-azure-policy-to-deny-public-ips-on-specific-vnets/
Someone know if it will affect the existing or know a better way to write a policy that can help me
2
Answers
The policy you mentioned will block
Public IPsin allresource groupsthat are not specified inPolicy, but it will not affect the existing ones.However, it will block the creation of new
public IPsand the assignment to Network resources in theresource groupsthat are not specified. If you want to block the creation of newpublic IPsbut allow the assignment of existingPublic IP, you can use the below policy.Output:
Public IPcreation with otherResource GroupPublic IPcreation with specifiedResource GroupSuccessfully assigned existing Public IP to Network Interface.
Azure Policy will evaluate and report back all resources that are in violation of the policy; however, unless it is attached with a Deploy If Not Exists No actions will be taken.
The Azure Policy will execute against a deployment once one is submitted. To be clear this will include any update to an existing resource or any net new resource creation. When the deployment is submitted, in this case, the deny action will occur and block the deployment. Policy can also be used to with different actions.