策略应拒绝任何允许端口22的网络安全规则

时间:2020-09-15 19:45:15

标签: azure azure-policy

我正在尝试创建一个拒绝允许端口22的NSG规则的策略。预期结果是,天蓝色将拒绝允许端口22的任何NSG安全规则。这是我到目前为止所拥有的,但是在测试时,它是仍然允许我创建它。

{
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
            },
            {
              "allOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                  "equals": "Inbound"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                  "equals": "Allow"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges",
                  "contains": "22"
                }
              ]
            }
          ]
        },
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/networkSecurityGroups"
            },
            {
              "allOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                  "equals": "Inbound"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                  "equals": "Allow"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                  "contains": "22"
                }
              ]
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

0 个答案:

没有答案