Post

Force Service Endpoint Policy if service endpoint is enabled

Posted
By Otto Gudszent
1 min read

Continuing the Service Endpoint Policy Improvement series with an Azure Policy: this time, I want to enforce that whenever users enable a Storage Account service endpoint on a subnet, they must also attach the corresponding service endpoint policy.

With this solution, we not only prevent users from forgetting this important security setting, but we also gain compliance reporting on subnets with service endpoints.

A quick and simple solution once again—powered by Azure Policy ;)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks/subnets"
        },
        {
          "count": {
            "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]",
            "where": {
              "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service",
              "like": "Microsoft.Storage*"
            }
          },
          "greater": 0
        },
        {
          "count": {
            "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpointPolicies[*]",
            "where": {
              "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpointPolicies[*].id",
              "exists": true
            }
          },
          "notEquals": 1
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
Azure, Policy
Azure Network Security Policy
This post is licensed under CC BY 4.0 by the author.