Alias request: Microsoft.Network/networkInterfaces/ipConfigurations[*].subnet.networkSecurityGroup.id

[krowlandson]

Details of the scenario you tried and the problem that is occurring

Need to create policy preventing attachment of network interfaces to a subnet which hasn't been secured with an NSG. This currently fails with an error as the alias does not exist.

Verbose logs showing the problem

n/a

Suggested solution to the issue

Register the alias Microsoft.Network/networkInterfaces/ipConfigurations[*].subnet.networkSecurityGroup.id to support creating a policy definition such as the following:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkInterfaces"
        },
        {
          "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].subnet.name",
          "notIn": "[parameters('excludedSubnets')]"
        },
        {
          "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].subnet.networkSecurityGroup.id",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    },
    "excludedSubnets": {
      "type": "Array",
      "metadata": {
        "displayName": "Excluded Subnets",
        "description": "Array of subnet names that are excluded from this policy"
      },
      "defaultValue": [
        "GatewaySubnet",
        "AzureFirewallSubnet",
        "AzureFirewallManagementSubnet"
      ]
    }
  }
}

If policy is Guest Configuration - details about target node

n/a