Audit Azure Network to Deny Internet by Subscription
There are a lot of company require more stringent requirement to audit outbound traffic for the virtual network within their subscription and recently i found out that by using Azure Policy, is one of the option to audit the entire subscription to flag out any non-compliance subnet in the subscription so you can remediate and take action on the warnings.
Step 1 : Go to Azure Subscription and select Azure Policy
Step 2 : Select Definitions on the Menu and Click “+ Policy Definition”
Step 3 : Fill in the following mandatory fields
- Select Definition Locations
2. Input the Name
3. You can choose to create New Category or Use Existing category
Step 4 : Copy the following definition and paste it into the editing panel under the policy rule
Audit every Subnet to ensure NSG is attached
Step 5 : Repeat Step 1 to Step 4 and copy the following into the policy rule and make sure 2 definitions are created
Audit every NSG to ensure Deny outbound Internet is included
Step 6 : Click on New Initiative to add the above 2 policy together
Step 7 : Go to Assignments and click on Assign Initiatives
This step is to make sure you run the policy against the subscription.
Lastly, wait for 15 minutes for the policy to kick start and you will see the non-compliance subnet under the Compliance.
PS : As usual, this configuration is purely for POC and testing purposes, for production deployment, please do your own remediation.
