Dan Djurasovic Blog
  • SSH
  • Linux
Dan Djurasovic Blog
  • SSH
  • Linux
Jun 05

Create Azure Policy to limit VNet Address Space creation to certain address spaces only

  • 05/06/2020
  • Dan Djurasovic
  • 1 Comment

Overview of the process

When you have a large Azure installation, you want to limit which address ranges your end users can create.

 

We can accomplish this with Azure Policy. However, there are no build-in policies, so we will need to create custom policies.
In our example, we want to limit Vnet Address space creation to all Address spaces starting with 10.4.X.X  and using only /24 subnet mask.

We will need to create two Azure Policies and assign them to Subscription.

Policies to be created. 

  • Azure Policy denies VNet address space creation if it is not starting with 10.4 space.
  • Azure Policy which denies creation of any other subnet mask then /24

Azure Policy denies VNet address space creation if it is not starting with 10.4 space.

To create “Azure Policy which denies VNet address space creation if it is not starting with 10.4” navigate to :
Policies-Definitions and select + Policy Definition 

 

On the Policy Definition blade navigate to your subscription and type the name for your policy.
For the category, you can use existing network category

 

Navigate to the Policy rule, delete existing entries form windows and paste entires form the following file:

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

Hit the Save button to save the policy.

Go back to Policy-Definitions and change type to custom in filtering windows.
Double click to your policy and the new blade will open.

On a new blade, click Assign.

On the Right side, a new blade will show you scope. You can choose subscription or resource groups.

 

Press Save and press Review + Create to assign a policy.

Let test how the policy works.

Try to create a new VNet using default options. As you can see in our example we are trying to create address space 10.2.0.0/16.

 

Validation is going to fail and Errors will show you that vNet can not be created because the address space you specified does not match address space specified in our Policy.

 

Azure Policy which denies creation of any other subnet mask then /24

To create a policy which allows only /24 subnet mask creation,  repeat the following process and use the following file

Azure Policy which denies creation of any other subnet mask then 24

 

Customize Policy

If you want to customize policies, we recommend changing settings in RED.

Azure Policy which denies VNet address space creation if it is not starting with 10.4 space.

{
“properties”: {
“displayName”: “Allow only 10.4.X.X vNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “10.4.”
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

Azure Policy which denies creation of any other subnet mask then /24

{
“properties”: {
“displayName”: “Allow only /24 VNet creation“,
“policyType”: “Custom”,
“mode”: “All”,
“metadata”: {
“category”: “Network”
},
“parameters”: {},
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/virtualNetworks”
},
{
“field”: “Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]”,
“notContains”: “/24”
}
]
},
“then”: {
“effect”: “deny”
}
}
}
}

 

 

 

  • LinkedIn
  • E-Mail

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

1 Comment

  1. Herman
    21/02/2022 at 15:08 · Reply

    11.10.4.0/24 is valid but unwated

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Which USB charger and cable can supply max power to your iPhone or Ipad?
  • Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types
  • Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Enable Monitoring and Alerting in Azure using Portal Part 1
  • Configure Windows virtual machine in Azure using Azure AD authentication and RDP.

Recent Comments

  • George Ewusi on How to setup Azure Active Directory Domain Services
  • Vince on Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Herman on Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • Name (required)Pouya Panahy on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command
  • Dan Djurasovic on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command

Archives

  • March 2023
  • July 2022
  • December 2021
  • October 2021
  • June 2021
  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com