last sync: 2025-Jul-07 17:23:16 UTC

Deny vNet peering cross subscription.

Azure Landing Zones (ALZ) Policy definition

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-VNET-Peer-Cross-Sub
Deploy policy Deny-VNET-Peer-Cross-Sub (1.1.0) to Azure
Display name Deny vNet peering cross subscription.
Id Deny-VNET-Peer-Cross-Sub
Version 1.1.0
Details on versioning
Category Network
Description This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
Mode All
Type Custom Azure Landing Zones (ALZ)
Preview False
Deprecated False
Effect Default
Deny
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id Microsoft.Network virtualNetworks/virtualNetworkPeerings properties.remoteVirtualNetwork.id True False
Rule resource types IF (1)
Microsoft.Network/virtualNetworks/virtualNetworkPeerings
Initiatives usage
Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State
Enforce policies in the Sandbox Landing Zone Enforce-ALZ-Sandbox Sandbox GA
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-10-10 01:17:21 change Minor (1.0.1 > 1.1.0)
JSON compare
compare mode: version left: version right:
1.0.1 → 1.1.0 RENAMED
@@ -3,9 +3,9 @@
3
  "mode": "All",
4
  "displayName": "Deny vNet peering cross subscription.",
5
  "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
6
  "metadata": {
7
- "version": "1.0.1",
8
  "category": "Network",
9
  "source": "https://github.com/Azure/Enterprise-Scale/",
10
  "alzCloudEnvironments": [
11
  "AzureCloud",
@@ -25,8 +25,16 @@
25
  "Deny",
26
  "Disabled"
27
  ],
28
  "defaultValue": "Deny"
 
 
 
 
 
 
 
 
29
  }
30
  },
31
  "policyRule": {
32
  "if": {
@@ -35,10 +43,18 @@
35
  "field": "type",
36
  "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
37
  },
38
  {
 
 
39
- "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
 
 
 
 
40
- "notcontains": "[subscription().id]"
 
 
41
  }
42
  ]
43
  },
44
  "then": {
 
3
  "mode": "All",
4
  "displayName": "Deny vNet peering cross subscription.",
5
  "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
6
  "metadata": {
7
+ "version": "1.1.0",
8
  "category": "Network",
9
  "source": "https://github.com/Azure/Enterprise-Scale/",
10
  "alzCloudEnvironments": [
11
  "AzureCloud",
 
25
  "Deny",
26
  "Disabled"
27
  ],
28
  "defaultValue": "Deny"
29
+ },
30
+ "allowedVnets": {
31
+ "type": "Array",
32
+ "metadata": {
33
+ "displayName": "Allowed vNets to peer with",
34
+ "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
35
+ },
36
+ "defaultValue": []
37
  }
38
  },
39
  "policyRule": {
40
  "if": {
 
43
  "field": "type",
44
  "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
45
  },
46
  {
47
+ "allOf": [
48
+ {
49
+ "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
50
+ "notIn": "[parameters('allowedVnets')]"
51
+ },
52
+ {
53
+ "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
54
+ "notLike": "[concat(subscription().id, '/*')]"
55
+ }
56
+ ]
57
  }
58
  ]
59
  },
60
  "then": {
JSON
EPAC
Deploy policy Deny-VNET-Peer-Cross-Sub (1.1.0) to Azure
{7 items
  • policyType: "Custom",
  • mode: "All",
  • displayName: "Deny vNet peering cross subscription.",
  • description: "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
  • metadata: {4 items
    • version: "1.1.0",
    • category: "Network",
    • source: "https://github.com/Azure/Enterprise-Scale/",
    • alzCloudEnvironments: [3 items
      • "AzureCloud",
      • "AzureChinaCloud",
      • "AzureUSGovernment"
      ]
    },
  • parameters: {2 items
    • effect: {4 items},
    • allowedVnets: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Allowed vNets to peer with",
        • description: "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
        },
      • defaultValue: []
      }
    },
  • policyRule: {2 items
    • if: {1 item
      • allOf: [2 items
        • {2 items
          • field: "type",
          • equals: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
          },
        • {1 item
          • allOf: [2 items
            • {2 items
              • field: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
              • notIn: "[parameters('allowedVnets')]"
              },
            • {2 items
              • field: "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
              • notLike: "[ concat( subscription().id, '/*' ) ]"
              }
            ]
          }
        ]
      },
    • then: {1 item
      • effect: "[parameters('effect')]"
      }
    }
}