AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Network ACLs should be restricted for Cognitive Services

Azure Landing Zones (ALZ) Policy definition

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-CognitiveServices-NetworkAcls

Deploy policy Deny-CognitiveServices-NetworkAcls (1.0.0) to Azure

Display name

Network ACLs should be restricted for Cognitive Services

Deny-CognitiveServices-NetworkAcls

Version

1.0.0
Details on versioning

Category

Cognitive Services

Description

Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.

Cloud environments

AzureChinaCloud
AzureCloud
AzureUSGovernment

Mode

All

Type

Custom Azure Landing Zones (ALZ)

Preview

False

Deprecated

False

Effect

Default
Deny
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]	Microsoft.CognitiveServices	accounts	properties.networkAcls.ipRules[*]	True		True
Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]	Microsoft.CognitiveServices	accounts	properties.networkAcls.virtualNetworkRules[*]	True		False

Rule resource types

IF (1)
Microsoft.CognitiveServices/accounts

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State
Enforce recommended guardrails for Open AI (Cognitive Service)	Enforce-Guardrails-OpenAI	Cognitive Services	GA

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-06-03 17:39:43	add	Deny-CognitiveServices-NetworkAcls

JSON compare

n/a

JSON

EPAC