Dan Djurasovic Blog
Dan Djurasovic Blog
Jun 05

Create Azure Policy to limit VNet Address Space creation to certain address spaces only

  • 05/06/2020
  • Dan Djurasovic
  • No Comments

Overview of the process

When you have large Azure installation, you want to limit which address ranges your end users can create.

We can accomplish this with Azure Policy. However, there are no build-in policies, so we will need to create custom policies.
In our example, we want to limit Vnet Address space creation to all Address spaces starting with 10.4.X.X  and using only /24 subnet mask.

We will need to create two Azure Policies and assign them to Subscription.

Policies to be created. 

  • Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.
  • Azure Policy which denies creation of any other subnet mask then /24

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

To create “Azure Policy which denies VNet address space creation if it is not starting with 10.4” navigate to :
Policies-Definitions and select + Policy Definition 

 

On the Policy Definition blade navigate to your subscription and type name for your policy.
For the category, you can use existing network category

 

Navigate to the Policy rule, delete existing entries form windows and paste entires form the following file:

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

Hit the Save button to save the policy.

Go back to Policy-Definitions and change type to custom in filtering windows.
Double click to your policy and the new blade will open.

On a new blade, click Assign.

On the Right side, a new blade will show you scope. You can choose subscription or resource groups.

 

Press Save and press Review + Create to assign a policy.

Let test how the policy works.

Try to create a new VNet using default options. As you can see in our example we are trying to create address space 10.2.0.0/16

 

Validation is going to fail and Errors will show you that vNet can not be created because the address space you specified does not match address space specified in our Policy.

 

Azure Policy which denies creation of any other subnet mask then /24

To create a policy which allows only /24 subnet mask creation,  repeat the following process and use the following file

Azure Policy which denies creation of any other subnet mask then 24

 

Customize Policy

If you want to customize policies, we recommend changing settings in RED.

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

{
“properties”: {
“displayName”: “Allow only 10.4.X.X vNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “10.4.”
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

Azure Policy which denies creation of any other subnet mask then /24

{
“properties”: {
“displayName”: “Allow only /24 VNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “/24”
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

 

 

 

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

  • LinkedIn
  • E-Mail

About The Author

Dan is a Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory. Dan is Currently employed with Employment and Social Development / Government of Canada.

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • How to deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot
  • How to setup Azure Active Directory Domain Services
  • How to convert Office 365 mailbox to shared mailbox if a mailbox is synced using AD Connect.
  • Set up disaster recovery for Physical On-premises VMs to Azure using Backup and Site Recovery (OMS) services PART2

Recent Comments

  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Jim on Step By Steps instruction how to disable creation of Office 365 Groups.

Archives

  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com