Post

Limit the Service Endpoint Policy to the same subscription

Posted Updated
By Otto Gudszent
1 min read

With a service endpoint policy, you can limit access to Storage accounts. When you enable a service endpoint on a specific subnet, only the Storage accounts allowed by the policy are reachable. By default, a service endpoint policy can include Storage accounts from other subscriptions, but I want to block that for security reasons. (Because I don’t want to allow to connect different environments)

To address this, I created a policy that restricts the service endpoint policy to only include resources within the same subscription, preventing access to Storage accounts in other subscriptions.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/serviceEndpointPolicies"
        },
        {
          "count": {
            "field": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions[*].serviceResources[*]",
            "where": {
              "allOf": [
                {
                  "value": "[split(concat(first(field('Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions[*].serviceResources[*]')), '//'), '/')[2]]",
                  "notEquals": "[subscription().subscriptionId]"
                }
              ]
            }
          },
          "greater": 0
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
Azure, Policy
Azure Network Security Policy
This post is licensed under CC BY 4.0 by the author.