如何解决Azure 策略“应阻止来自 Internet 的 SSH 访问”,效果为拒绝
我的目标:通过拒绝允许通过端口 22 的入站流量的 NSG 规则来防止通过 SSH 访问虚拟机。
我首先尝试自己编写自定义策略,然后重新编写此策略:SSH access from the Internet should be blocked。但在这两种情况下,当我创建一个 VM 时,关联的 NSG 仍然会使用开放的 SSH 端口创建。
我的政策表现得好像它们具有审计的效果,因为它们不会立即停止资源(VM、NSG)的请求,而是在合规性中不合规稍后显示在门户中。但是,当然,为时已晚,资源已经到位并正在运行。
感谢您的帮助!
更新:
重新表述问题:为什么 Azure 一开始不提供 deny 效果?
@KenWMSFT 要求的整个政策(与上面链接的政策相同,除了效果deny):
"if": {
"allOf": [
{
"equals": "Microsoft.Network/networkSecurityGroups/securityRules","field": "type"
},{
"allOf": [
{
"equals": "Allow","field": "Microsoft.Network/networkSecurityGroups/securityRules/access"
},{
"equals": "Inbound","field": "Microsoft.Network/networkSecurityGroups/securityRules/direction"
},{
"anyOf": [
{
"equals": "*","field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange"
},{
"equals": "22",{
"equals": "true","value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))),contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')),and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),22)),'false')]"
},{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where": {
"equals": "true","value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))),contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'false')]"
}
},"greater": 0
},{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals": "*"
}
},"notEquals": "22"
}
}
]
},"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressprefix"
},{
"equals": "Internet",{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressprefixes[*]","notEquals": "Internet"
}
}
]
}
]
}
]
},"then": {
"effect": "deny"
}
}
},
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。