azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

Existing policy assignments with 'Deny' effect no longer denying

Open EIT-Nathan opened this issue 3 years ago • 0 comments

Hi,

I have noticed an issue over the past couple of days in multiple Azure tenants where our enabled policy assignments with the 'Deny' effect are no longer preventing the creation of resources based upon the criteria we have defined. Below is a policy we have had in place for a while which up until yesterday, was preventing the creation of all allowed, inbound NSG rules unless the destination port was 443

{ "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Deny" } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "not": { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", "notEquals": "443" } } ] } ] }, "then": { "effect": "[parameters('effect')]" } } }

Has there been a change which requires us to update our policy definitions or is this a wider issue in Azure?

Thanks, Nathan

EIT-Nathan avatar Feb 18 '22 10:02 EIT-Nathan