All network port restricted on network security group which have dev Tag

Question

I am creating the custom policy with my requirements, I want the definition policy in which "All network port should be restricted on Network Security Group which has Tag of dev only".

ERROR: Failed to parse policy rule: 'Could not find member 'exits' on object of type 'LeafExpressionDefinition'. Path 'exits'.'.

there are two builtin policy exist in azure policy definition:

1. All network ports should be restricted on network security groups associated to your virtual machine. link https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9daedab3-fb2d-461e-b861-71790eead4f6

2. Require a tag on resource groups. link https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b6d14-10aa-478d-b590-94f262ecfa99

I combine and update my requirements, you can check the created custom policy, I think all is ok.

{
"properties": {
  "displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
  "policyType":"Indexed",
  "mode": "All",
  "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.",
  "metadata": {
    "version": "3.0.0",
    "category": "Security Center"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "dev",
        "description": "Name of the tag, such as 'develpment'"
      }
    }
  },
  "policyRule": {
      "if": {
      "allOf": [
        {
          "field":"Microsoft.Network/networkInterfaces/networkSecurityGroup.id",
           "exits": "true"
        },
        {
          "field": "[concat('tags[', parameters('dev'), ']')]",
         "Equals": "[parameters('tagValue')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/assessments",
        "name": "3b20e985-f71f-483b-b078-f30d73936d43",
        "existenceCondition": {
          "field": "Microsoft.Security/assessments/status.code",
          "in": [
            "NotApplicable",
            "Healthy"
          ]
        }
      }
    }
  }
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "9daedab3-fb2d-461e-b861-71790eead4f6"
}

@syedasadrazadevops

Answer 1

I make the solution for this problem, to block all ports in network security group or subscription level scop. but need to set the port value "*" to block all, you can block any port just type your required port number in the port parameter and it done.

{
    "mode": "all",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "in": "[parameters('deniedPorts')]"
                  },
                  {
                      "not": {
                          "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                          "notIn": "[parameters('deniedPorts')]"
                      }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "in": [
                      "*",
                      "Internet"
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    },
    "parameters": {
      "deniedPorts": {
        "type": "Array",
        "metadata": {
          "displayName": "Ports to block",
          "description": "The inbound ports that should be blocked"
        }
      }
    }
  }

Answer 2

1. You seem to have a typo in "exists" -- "exits" --> "exists"
2. I don't believe you can create a custom policy based on the built-in Security Center policy that relies on an assessment code ("field": "Microsoft.Security/assessments/status.code"). These are implemented by internal APIs, so cannot be replicated for customization.