Azure policy to turn off public and private access to disk.

Nana Poku 160

Can I get help with a azure policy to turn off public access to existing managed disks so that is not accessible to public internet.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-22T16:35:02.92+00:00

Hi @Nana Poku,

I am checking on it, we will provide the results soon.

Thankyou

1 answer

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-22T16:54:11.05+00:00
Hi @Nana Poku,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

Instead of using an Azure policy use Azure Automation account and schdule this job when ver it is required

Can you use an automation Account and create a run book. This is very easy to use.

Below script will do the job

$disks = Get-AzDisk | Where-Object {$_.PublicNetworkAccess -eq 'Enabled'} foreach ($disk in $disks) {$disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "DenyAll" | Update-AzDisk -resourcegroup $($disk.resourcegroupname) -diskname $($disk.name)}

Below is the artifact of the output:-

Feel free to reach out if you have any further questions or need additional information—I’m happy to assist!

Please provide your valuable comments

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Please sign in to rate this answer.
Nana Poku 160 Reputation points

2025-01-22T22:49:08.0066667+00:00

Hi Ashok,

Thanks for this detailed approached and will give you feedback after i applied this...👌

Nana Poku 160 Reputation points

2025-01-23T00:01:18.1333333+00:00

Hi Ashok,

This perfectly worked for me and will create automation account for it, can you also provide me with a script for "Disable public access and enable private access". Thank you for this 😊.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-23T02:46:59.2566667+00:00

Hi @Nana Poku,

Thank you for your valuable feedback! I’ll definitely share a script very soon on how to implement this in an Automation Account. In a step-by-step process
Thankyou

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-23T05:22:45.93+00:00

Hi @Nana Poku,

Please find the step-by-step process on how to achieve this output.

Create an Automation account

Refer: https://learn.microsoft.com/en-us/azure/automation/quickstarts/create-azure-automation-account-portal

Create a runbook

Refer: https://learn.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual

Later enable managed identity to keep on

Refer: https://learn.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual

Follow the below screenshots

Add role assignment

Add role Assignment and provide Contributor access to the automation account or manage identity

Below is the Artifact of the script: -

Below Code Snipped: -

Artifact Output: - Code Snippet: -

# Connect to Azure with system-assigned managed identity $AzureContext = (Connect-AzAccount -Identity).context # Set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext # Get all disks with PublicNetworkAccess enabled $disks = Get-AzDisk | Where-Object { $_.PublicNetworkAccess -eq 'Enabled' } # Check if there are any disks to process if ($disks.Count -eq 0) { Write-Host "No disks found with PublicNetworkAccess enabled." -ForegroundColor Yellow } else { Write-Host "Disks with PublicNetworkAccess enabled found: $($disks.Count)" -ForegroundColor Green foreach ($disk in $disks) { try { # Create an update configuration and apply it to the disk $diskUpdateConfig = $disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "DenyAll" Update-AzDisk -ResourceGroupName $disk.ResourceGroupName -DiskName $disk.Name -DiskUpdate $diskUpdateConfig Write-Host "Successfully updated disk: $($disk.Name) in resource group: $($disk.ResourceGroupName)" -ForegroundColor Green } catch { Write-Host "Failed to update disk: $($disk.Name) in resource group: $($disk.ResourceGroupName). Error: $($_.Exception.Message)" -ForegroundColor Red } } }

Please provide your valuable comments

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Nana Poku 160 Reputation points

2025-01-23T10:28:22.2833333+00:00

Thank you soo much as I have successfully created the automation account with ease with your guideline, impressive.

How to I also get a commands for this option ?

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-23T10:31:59.0666667+00:00

Hi @Nana Poku,

Thanks for the response back, previously your ask is for option 3 which is public and private access disable, let me know if I am correct this script will do the option 3 job.

Thankyou

Nana Poku 160 Reputation points

2025-01-23T14:59:39.23+00:00

Sure I did and you script done that during testing before production environment, but in addition to my initial request is there any commands for option 2?

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-23T15:20:14.1966667+00:00

Hi @Nana Poku,

Got it thanks for the response, Happy that it worked for you.

Feel free to post a new question and tag me there. I'd be happy to help as far as I can with your new issue. Disabling public and enabling private network will be different topic that will be out of scope of this thread. Please post a new question I will take it up and provide an appropriate solution for you.

While posting a new Question please add azure automation tag let me take it up and provide you the solution very soon.

Hope I Answered your question Kindly accept the Answer if it helped you.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-24T07:23:55.2766667+00:00

Hi @Nana Poku,,

I have taken up your new question in another thread I acknowledged.

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-26T21:37:14.6033333+00:00

Hi @Nana Poku,,

I have taken up your new question in another thread and provided answer for that.

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-27T12:12:33.48+00:00

Hi @Nana Poku,

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-28T04:05:08.0933333+00:00

Hi @Nana Poku,

Let me know if this thread can be closed up. If this thread helps you, do not forget to accept it.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-28T13:31:20.2566667+00:00

Hi @Nana Poku,

Let me know if this thread can be closed up. If this thread helps you, do not forget to accept it.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-29T10:45:21.1566667+00:00

Hi @Nana Poku,

Thanks for accepting the other answer.

Let me know if this thread can be closed up. If this thread helps you, do not forget to accept it.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 3,145 Reputation points Microsoft Vendor

2025-01-30T05:43:33.32+00:00

Hi @Nana Poku,

Thanks for accepting the other answer.

Let me know if this thread can be closed up. If this thread helps you, do not forget to accept it.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure policy to turn off public and private access to disk.

1 answer

Your answer