微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

Azure 策略“应阻止来自 Internet 的 SSH 访问”,效果为拒绝

分类:编程问答

如何解决Azure 策略“应阻止来自 Internet 的 SSH 访问”,效果为拒绝

我的目标:通过拒绝允许通过端口 22 的入站流量的 NSG 规则来防止通过 SSH 访问虚拟机。

我首先尝试自己编写自定义策略,然后重新编写此策略:SSH access from the Internet should be blocked。但在这两种情况下,当我创建一个 VM 时,关联的 NSG 仍然会使用开放的 SSH 端口创建。

我的政策表现得好像它们具有审计效果,因为它们不会立即停止资源(VM、NSG)的请求,而是在合规性中不合规稍后显示在门户中。但是,当然,为时已晚,资源已经到位并正在运行。

感谢您的帮助!

更新:

重新表述问题:为什么 Azure 一开始不提供 deny 效果

@KenWMSFT 要求的整个政策(与上面链接的政策相同,除了效果deny):

"if": {
        "allOf": [
          {
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules","field": "type"
          },{
            "allOf": [
              {
                "equals": "Allow","field": "Microsoft.Network/networkSecurityGroups/securityRules/access"
              },{
                "equals": "Inbound","field": "Microsoft.Network/networkSecurityGroups/securityRules/direction"
              },{
                "anyOf": [
                  {
                    "equals": "*","field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange"
                  },{
                    "equals": "22",{
                    "equals": "true","value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))),contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')),and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),22)),'false')]"
                  },{
                    "count": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","where": {
                        "equals": "true","value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))),contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'false')]"
                      }
                    },"greater": 0
                  },{
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notEquals": "*"
                    }
                  },"notEquals": "22"
                    }
                  }
                ]
              },"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressprefix"
                  },{
                    "equals": "Internet",{
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressprefixes[*]","notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },"then": {
        "effect": "deny"
      }
    }
  },

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot