Jun 05

Create Azure Policy to limit VNet Address Space creation to certain address spaces only

Overview of the process

When you have large Azure installation, you want to limit which address ranges your end users can create.

We can accomplish this with Azure Policy. However, there are no build-in policies, so we will need to create custom policies.
In our example, we want to limit Vnet Address space creation to all Address spaces starting with 10.4.X.X  and using only /24 subnet mask.

We will need to create two Azure Policies and assign them to Subscription.

Policies to be created. 

  • Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.
  • Azure Policy which denies creation of any other subnet mask then /24

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

To create “Azure Policy which denies VNet address space creation if it is not starting with 10.4” navigate to :
Policies-Definitions and select + Policy Definition 

 

On the Policy Definition blade navigate to your subscription and type name for your policy.
For the category, you can use existing network category

 

Navigate to the Policy rule, delete existing entries form windows and paste entires form the following file:

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

Hit the Save button to save the policy.

Go back to Policy-Definitions and change type to custom in filtering windows.
Double click to your policy and the new blade will open.

On a new blade, click Assign.

On the Right side, a new blade will show you scope. You can choose subscription or resource groups.

 

Press Save and press Review + Create to assign a policy.

Let test how the policy works.

Try to create a new VNet using default options. As you can see in our example we are trying to create address space 10.2.0.0/16

 

Validation is going to fail and Errors will show you that vNet can not be created because the address space you specified does not match address space specified in our Policy.

 

Azure Policy which denies creation of any other subnet mask then /24

To create a policy which allows only /24 subnet mask creation,  repeat the following process and use the following file

Azure Policy which denies creation of any other subnet mask then 24

 

Customize Policy

If you want to customize policies, we recommend changing settings in RED.

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

{
“properties”: {
“displayName”: “Allow only 10.4.X.X vNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “10.4.
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

Azure Policy which denies creation of any other subnet mask then /24

{
“properties”: {
“displayName”: “Allow only /24 VNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “/24
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

 

 

 

About The Author

Dan is a Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory. Dan is Currently employed with Employment and Social Development / Government of Canada.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.