Source
Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-VNET-Peer-Cross-Sub
Display name
Deny vNet peering cross subscription.
Id
Deny-VNET-Peer-Cross-Sub
Version
1.1.0 Details on versioning
Category
Network
Description
This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.
Cloud environments
AzureChinaCloud AzureCloud AzureUSGovernment
Mode
All
Type
Custom Azure Landing Zones (ALZ)
Preview
False
Deprecated
False
Effect
Default Deny
Allowed Audit, Deny, Disabled
RBAC role(s)
none
Rule aliases
IF (1)
Rule resource types
IF (1) Microsoft.Network/virtualNetworks/virtualNetworkPeerings
Initiatives usage
Records: 10 25 100 200 Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
< ,
<= ,
> ,
>= ,
= ,
* ,
! ,
{ ,
} ,
|| ,
&& ,
[empty] ,
[nonempty] ,
rgx: Learn more ? Page 1 of 1
Clear Sandbox Clear GA
Initiative DisplayName
Initiative Id
Initiative Category
State
Enforce policies in the Sandbox Landing Zone
Enforce-ALZ-Sandbox
Sandbox
GA
No results
History
Date/Time (UTC ymd) (i)
Change type
Change detail
2024-10-10 01:17:21
change
Minor (1.0.1 > 1.1.0)
JSON compareHide
compare mode:
side-by-side
line-by-line
version left: 1.0.1
version right: 1.1.0 1.0.1
@@ -3,9 +3,9 @@
3
"mode": "All",
4
"displayName": "Deny vNet peering cross subscription.",
5
"description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
6
"metadata": {
7
-
"version": "1.0.1",
8
"category": "Network",
9
"source": "https://github.com/Azure/Enterprise-Scale/",
10
"alzCloudEnvironments": [
11
"AzureCloud",
@@ -25,8 +25,16 @@
25
"Deny",
26
"Disabled"
27
],
28
"defaultValue": "Deny"
29
}
30
},
31
"policyRule": {
32
"if": {
@@ -35,10 +43,18 @@
35
"field": "type",
36
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
37
},
38
{
39
-
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
40
-
"notcontains": "[subscription().id]"
41
}
42
]
43
},
44
"then": {
3
"mode": "All",
4
"displayName": "Deny vNet peering cross subscription.",
5
"description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
6
"metadata": {
7
+
"version": "1.1. 0",
8
"category": "Network",
9
"source": "https://github.com/Azure/Enterprise-Scale/",
10
"alzCloudEnvironments": [
11
"AzureCloud",
25
"Deny",
26
"Disabled"
27
],
28
"defaultValue": "Deny"
29
+
},
30
+
"allowedVnets": {
31
+
"type": "Array",
32
+
"metadata": {
33
+
"displayName": "Allowed vNets to peer with",
34
+
"description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
35
+
},
36
+
"defaultValue": []
37
}
38
},
39
"policyRule": {
40
"if": {
43
"field": "type",
44
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
45
},
46
{
47
+
"allOf": [
48
+
{
49
+
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
50
+
"notIn": "[parameters('allowedVnets')]"
51
+
},
52
+
{
53
+
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
54
+
"notLike ": "[concat( subscription().id, '/*') ]"
55
+
}
56
+
]
57
}
58
]
59
},
60
"then": {
JSON
Copy definition Copy definition 4 EPAC EPAC
{ 7 items policyType: "Custom" , mode: "All" , displayName: "Deny vNet peering cross subscription." , description: "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope." , metadata: { 4 items version: "1.1.0" , category: "Network" , source: "https://github.com/Azure/Enterprise-Scale/" , alzCloudEnvironments: [ 3 items "AzureCloud" , "AzureChinaCloud" , "AzureUSGovernment" ] } , parameters: { 2 items effect: { 4 items } , allowedVnets: { 3 items type: "Array" , metadata: { 2 items displayName: "Allowed vNets to peer with" , description: "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" } , defaultValue : [] } } , policyRule: { 2 items if: { 1 item allOf: [ 2 items { 2 items field: "type" , equals: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id" , notIn: "[parameters('allowedVnets')]" } , { 2 items field: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id" , notLike: "[
concat(
subscription().id,
'/*'
)
]" } ] } ] } , then: { 1 item effect: "[parameters('effect')]" } } }