AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Subnets without Private Endpoint Network Policies enabled should be denied

Azure Landing Zones (ALZ) Policy definition

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-Subnet-Without-Penp
Deploy policy Deny-Subnet-Without-Penp (1.0.0) to Azure
Display name Subnets without Private Endpoint Network Policies enabled should be denied
Id Deny-Subnet-Without-Penp
Version 1.0.0
Details on versioning
Category Network
Description This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
Mode All
Type Custom Azure Landing Zones (ALZ)
Preview False
Deprecated False
Effect Default
Deny
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (4)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies Microsoft.Network virtualNetworks/subnets properties.privateEndpointNetworkPolicies True True
Microsoft.Network/virtualNetworks/subnets[*] Microsoft.Network virtualNetworks properties.subnets[*] True False
Microsoft.Network/virtualNetworks/subnets[*].name Microsoft.Network virtualNetworks properties.subnets[*].name True False
Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies Microsoft.Network virtualNetworks properties.subnets[*].properties.privateEndpointNetworkPolicies True True
Rule resource types IF (2)
Microsoft.Network/virtualNetworks
Microsoft.Network/virtualNetworks/subnets
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-06-20 20:17:42 add Deny-Subnet-Without-Penp
JSON compare n/a
JSON
EPAC
Deploy policy Deny-Subnet-Without-Penp (1.0.0) to Azure