This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 40%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
I'm confused about the compliance result I'm getting against a test NSG of mine. I've tried the policy rule with "equals" and "match" with the same result. Basically, the policy rule says the current value must not match the target value. The target value is for "80" as in port 80, and the current value is an empty array. The value doesn't match, but it still shows up as non-compliant. What gives?
Here is the policy rule:
if: {
allOf: [{
field: "type",
equals: "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/access",
equals: "Allow"
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/direction",
equals: "Inbound"
},
{
anyOf: [
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
in: [
"*",
"Internet",
"Any",
"0.0.0.0/0"
]
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
in: [
"*",
"Internet",
"Any",
"0.0.0.0/0"
]
}
]
},
{
anyOf: [
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
equals: "80"
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
equals: "443"
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
match: "80"
},
{
field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
match: "443"
}
]
}
]
},
then: {
effect: "[parameters('effect')]"
}
Here is the non-compliance message:
Here is the JSON from the NSG rule that should NOT be matching and should be marked compliant.
"securityRules": [
{
"name": "AllowTagCustom53Inbound",
"id": "/subscriptions/xxxx/resourceGroups/test1/providers/Microsoft.Network/networkSecurityGroups/sootestnsg01/securityRules/AllowTagCustom53Inbound",
"etag": "W/\"xxxx\"",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "test bad rule 1",
"protocol": "UDP",
"sourcePortRange": "*",
"destinationPortRange": "53",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Your policy checks the Destination Range field to see if it has gates like "80" or "443". But when this area is empty, the policy is confused and marks it errors as non-transport, even if there is no port set.
We can fix our policy just by updating to look for "80" or "443" if there is actually no value in the destination area. If the field is empty, it does not trigger no check, and it will be marked as compliance.
We have made sure that the policy only looks for "80" or "443" if the field is not empty. If the field is empty, the policy releases the check, which prevents false non-transport.
With this update, your NSG rule should be marked as obedient even when the port area is vacant.
If you have any concerns, please go through this link: -
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
If the answer is helpful, please click "Accept Answer" and "Upvote it"
Thanks Rahul. I think your premise makes sense, but my attempts to evaluate against a null value are not working. What is your suggestion for ignoring a null value in this policy evaluation? What would you add to the policy rule as I wrote it above?
Hi @DICKENS Jesse * DAS Thanks for the clarification. The reason your policy is marking the rule as non-compliant is because it's trying to check for specific ports (like 80 or 443) even when the port fields are empty. When these fields are empty, the policy gets confused and flags the rule as non-compliant.
we just need to update the policy to ignore the port fields when they’re empty. If the port field is empty, it shouldn’t do any checking for ports, and it should mark the rule as compliant.
Add this check to your policy:
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges",
"exists": false
}
This line tells the policy: "If the destinationPortRanges field is empty, just skip checking it." This will prevent the policy from marking the rule as non-compliant when the port field is blank.
With this change, the policy will only check for ports when there’s actually a value in the field, and it won’t flag empty fields as an issue.
refer link: -
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics
If the answer is helpful, please click "Accept Answer" and "Upvote it"
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.
If the comment is helpful, please click "Upvote it"
Thankyou
@Rahul Podila thanks for the follow up. I did try something similar in my rule last week, but I wasn't having much luck with it.
However, I did find this double "not" statement in the Azure Policy community github which did work for me. I don't know why this works, but it does evaluate properly.
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notEquals": "*"
}
}
Thanks for your patience, and I’m glad you found a solution that works!
To explain why your double "not" statement works:
The reason the "not" statement works is that it tells the policy to ignore empty or invalid port values. Specifically, it’s saying, "If the destinationPortRanges field is not equal to a valid value (like *), then go ahead and check the port." This allows the policy to skip checking the port field when it is empty, avoiding the confusion that causes it to flag the rule as non-compliant.
In simpler terms, you're telling the policy: "Only check for specific ports when the field is not empty." If the field is empty, the policy won't check for ports and will mark the rule as compliant.
This approach works great because it prevents the rule from being flagged as non-compliant when the port field is empty.
If the answer is helpful, please click "Accept Answer" and "Upvote it"
We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
I think this issue is resolved. I marked the double-not statement as an answer. Thanks again.
The double "not" statement as seen here seems to solve this problem.
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notEquals": "*"
}
}