0

We currently have the built in policy to disallow public ips scoped at the management group level which works when creating regular VMs in our environment. This policy does not block the creation of VMs with public IPs in DevTest labs even though they are created within the management group that has a policy blocking IPs. Has anyone ran into this?

EG92
  • 75
  • 1
  • 7
  • 1
    Maybe VMs created by DevTest Labs are different type of resources than regular VMs. https://learn.microsoft.com/zh-tw/azure/templates/microsoft.devtestlab/2018-09-15/labs/virtualmachines?tabs=json – ccshih Mar 15 '21 at 09:15

1 Answers1

1

There are built-in policies working on Microsoft.Network/networkInterfaces level to block NICs have public IPs but VMs in DevTest Labs have different type of resources than regular VMs.

For example, you can restrict public IP on VMs in Azure DevTest Labs by policy like this:

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DevTestLab/labs/virtualmachines"
          },
          {
            "not": {
              "field": "Microsoft.DevTestLab/labs/virtualmachines/disallowPublicIpAddress",
              "equals": true
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },

enter image description here

Nancy
  • 26,865
  • 3
  • 18
  • 34