Azure Policy: Deny HTTP listeners (Application Gateway)


Here is the second Azure Policy example in addition to the first one . The following policy is quiet simple and denies creation of HTTP listeners for Application Gateways, so only HTTPS Listeners are allowed:

#Version1
{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyof": [
        {
          "not": {
            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol",
            "notEquals": "Http"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

#Version2
{
  "mode":"All"
  "policyRule": {
    "if": {

        "not": {

            "equals": "Https",

            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol"

        }

    },

    "then": {

        "effect": "deny"

    }
},
"parameters": {}
}

To assign the policy by using PowerShell:

# Create the Policy Definition (Subscription scope)
$policyrules = "URI here"
$policyparams = "URI here (optional)"
$definition = New-AzPolicyDefinition -Name 'Deny HTTP Listeners' -Policy $policyrules  -Parameter $policyparams -Mode All

# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzResourceGroup -Name 'mvphero'

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Deny HTTP Listeners' -DisplayName 'Deny Application Gateway HTTP Listeners' -Scope $scope.ResourceId -PolicyDefinition $definition

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s