Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add 'AzureBastionSubnet' exclusion for UDR on Subnets Policy (#606) 

* add AzureBastionSubnet exclusion for UDR policy

* update ESLZ-Policies.md

* add nic subnet restriction policy

* update policies based on PG & KN feedback

* update ESLZ-policies.md

* typo fix
This commit is contained in:
Jack Tracey 2021-06-16 16:10:30 +01:00 коммит произвёл GitHub
Родитель 684e5de276
Коммит 3eedf58a32
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 440 добавлений и 384 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
docs/ESLZ-Policies.md
Просмотреть файл

@ -104,7 +104,7 @@ We work with - and learn from our customers and partners to ensure that we evolv
| Deploy an Azure DDoS Protection Standard plan | Deploys and creates the DDoS Protection Standard plan into the connectivity subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Connectivity Management Group | Network |
| Deny vNet peering | Denies creation of vnet peering | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Sandboxes Management Group | Network |
| Deny vNet peering cross subscription | Denies the creation of vnet peering outside of the same subscription | deny, audit, disabled | 1.0.0 | Custom policy | No | Sandboxes Management Group | Network |
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route | deny, audit, disabled | 1.0.0 | Custom policy | No | | Network |
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route, except the `AzureBastionSubnet` as this is not supported as documented [here](https://docs.microsoft.com/azure/bastion/bastion-overview#udr). The `AzureBastionSubnet` is only allowed to contain the Azure Bastion service, this is enforced by the Azure platform itself. | deny, audit, disabled | 1.1.0 | Custom policy | No | Landing Zones Management Group | Network |
| Subnets should have a Network Security Group | Denies the creation of a subnet that is not associated with a Network Security Group | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| RDP access from the Internet should be blocked | Denies any network security rule that allows RDP access from Internet | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group, Identity Management Group | Network |
| Application Gateway should be deployed with WAF enabled | Denies creation of Application Gateways when WAF is not enabled | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group | Network |

18
docs/reference/adventureworks/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -10650,9 +10650,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Network"
},
"parameters": {
@ -10668,6 +10668,16 @@
"Disabled"
],
"defaultValue": "Deny"
},
"excludedSubnets": {
"type": "Array",
"metadata": {
"displayName": "Excluded Subnets",
"description": "Array of subnet names that are excluded from this policy"
},
"defaultValue": [
"AzureBastionSubnet"
]
}
},
"policyRule": {
@ -10677,6 +10687,10 @@
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"

268
docs/reference/contoso/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -862,7 +862,7 @@
"hubResourceId": {
"value": "[[parameters('hubResourceId')]"
},
"dnsServers": {
"dnsServers": {
"value": "[[parameters('dnsServers')]"
}
},
@ -956,7 +956,7 @@
"[[parameters('vNetCidrRange')]"
]
},
"dhcpOptions": {
"dhcpOptions": {
"dnsServers": "[[parameters('dnsServers')]"
}
}
@ -1052,130 +1052,130 @@
"name": "Deploy-VNET-HubSpoke"
},
{
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"name": "Deploy-Default-Udr"
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
},
"name": "Deploy-Default-Udr"
},
{
"properties": {
@ -10650,9 +10650,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Network"
},
"parameters": {
@ -10668,6 +10668,16 @@
"Disabled"
],
"defaultValue": "Deny"
},
"excludedSubnets": {
"type": "Array",
"metadata": {
"displayName": "Excluded Subnets",
"description": "Array of subnet names that are excluded from this policy"
},
"defaultValue": [
"AzureBastionSubnet"
]
}
},
"policyRule": {
@ -10677,6 +10687,10 @@
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"

268
docs/reference/treyresearch/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -862,7 +862,7 @@
"hubResourceId": {
"value": "[[parameters('hubResourceId')]"
},
"dnsServers": {
"dnsServers": {
"value": "[[parameters('dnsServers')]"
}
},
@ -956,7 +956,7 @@
"[[parameters('vNetCidrRange')]"
]
},
"dhcpOptions": {
"dhcpOptions": {
"dnsServers": "[[parameters('dnsServers')]"
}
}
@ -1052,130 +1052,130 @@
"name": "Deploy-VNET-HubSpoke"
},
{
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"name": "Deploy-Default-Udr"
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
},
"name": "Deploy-Default-Udr"
},
{
"properties": {
@ -10650,9 +10650,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Network"
},
"parameters": {
@ -10668,6 +10668,16 @@
"Disabled"
],
"defaultValue": "Deny"
},
"excludedSubnets": {
"type": "Array",
"metadata": {
"displayName": "Excluded Subnets",
"description": "Array of subnet names that are excluded from this policy"
},
"defaultValue": [
"AzureBastionSubnet"
]
}
},
"policyRule": {
@ -10677,6 +10687,10 @@
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"

268
docs/reference/wingtip/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -862,7 +862,7 @@
"hubResourceId": {
"value": "[[parameters('hubResourceId')]"
},
"dnsServers": {
"dnsServers": {
"value": "[[parameters('dnsServers')]"
}
},
@ -956,7 +956,7 @@
"[[parameters('vNetCidrRange')]"
]
},
"dhcpOptions": {
"dhcpOptions": {
"dnsServers": "[[parameters('dnsServers')]"
}
}
@ -1052,130 +1052,130 @@
"name": "Deploy-VNET-HubSpoke"
},
{
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
"properties": {
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"policyType": "Custom",
"mode": "Indexed",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"name": "Deploy-Default-Udr"
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
},
"name": "Deploy-Default-Udr"
},
{
"properties": {
@ -10650,9 +10650,9 @@
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"description": "This policy denies the creation of a subnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Network"
},
"parameters": {
@ -10668,6 +10668,16 @@
"Disabled"
],
"defaultValue": "Deny"
},
"excludedSubnets": {
"type": "Array",
"metadata": {
"displayName": "Excluded Subnets",
"description": "Array of subnet names that are excluded from this policy"
},
"defaultValue": [
"AzureBastionSubnet"
]
}
},
"policyRule": {
@ -10677,6 +10687,10 @@
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "name",
"notIn": "[[parameters('excludedSubnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"