Does, not allowed resource type "Microsoft.Network.virtualNetworks" stop me from creating a VM

Shridhar Srinivasan 220

You have an Azure subscription named mySubscription. Under the subscription, you go ahead and create a resource group named myRG.
You then go ahead and create an Azure policy based on the “Not allowed resources types” definition. Here you define the parameters as Microsoft.Network.virtualNetworks as the not allowed resource type. You assign this policy to the top Management group "Tenant Root Group".
Would you be able to create a virtual machine in the myRG resource group?

Prrudram-MSFT 25,881 Reputation points

2023-07-20T16:17:26.06+00:00

@Shridhar Srinivasan

We noticed that you rated an answer as not helpful. We value your feedback and want to see if there is anything we can do to improve and make this a positive experience for you. Thanks!

Also, please review my answer below and let me know if that helps!
Prrudram-MSFT 25,881 Reputation points

2023-08-09T12:41:04.68+00:00

Hello @Srinivasan, Shridhar (Shridhar)

I have tested the scenario and posted the comments. If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

3 answers

Prrudram-MSFT 25,881 Reputation points

2023-07-20T16:16:04.17+00:00

@Shridhar Srinivasan

Your point "I think during a VM creation, a VNet and Network Interface (NIC) creation are mandatory. Because of the Policy, won't VM creation be stopped?" is correct. Any new VNet creation during the VM creation should fail in the RG that has restrictions.
However, if there is any existing VNET available in the RG already that can be used to create the VM. In that way the VM creation shouldn't fail.

If this does answer your question, please accept it as the answer as a token of appreciation.
Please sign in to rate this answer.

1 person found this answer helpful.
Shridhar Srinivasan 220 Reputation points

2023-07-21T03:51:10.7566667+00:00

Thanks for clarifying on the VNet. What about the network interface though ?

Shridhar Srinivasan 220 Reputation points

2023-07-21T10:53:50.29+00:00

Still awaiting clarification on the above about network interface.

Prrudram-MSFT 25,881 Reputation points

2023-07-21T18:12:06.87+00:00

Hi Srinivasan, Shridhar (Shridhar)

Apologies for the delay, I missed this comment somehow, I didn't get any notification for this.

Here is my answer your question,

If you have an Azure policy that does not allow the creation of resources of type "Microsoft.Network/virtualNetworks" in your Azure subscription or resource group, you may not be able to create a network interface (NIC) that must be associated with a virtual network. When you create a NIC, you must specify the virtual network and subnet that the NIC will be associated with. If you are not allowed to create virtual networks, you may not be able to create a NIC that needs to be associated with a virtual network.

Hope this answers your question. If yes, please accept it as the answer and upvote as a token of appreciation

Shridhar Srinivasan 220 Reputation points

2023-07-21T20:08:30.6+00:00

Sorry, there is too much probability in above response - "may not be able to create..."

Like you mentioned in earlier response, if I have an existing VNet, will I be able to create a NIC against it

OR

will policy with not allowed resource type "Microsoft.Network/virtualNetworks" block creation of NIC also.

Please give a confirm response.

Prrudram-MSFT 25,881 Reputation points

2023-07-24T09:24:42.7833333+00:00

Srinivasan, Shridhar (Shridhar)
I believe it may block the NIC creation for an existing VNET as well but associating an existing NIC may not be an issue. Do you mind if I test it and get back with the answer?

Shridhar Srinivasan 220 Reputation points

2023-07-26T10:22:30.3533333+00:00

Sure @Prrudram-MSFT A tested answer will always be better.

Look forward to it.

Shridhar Srinivasan 220 Reputation points

2023-07-29T05:13:12.8366667+00:00

Hi @Prrudram-MSFT

Any update from your test ?

Prrudram-MSFT 25,881 Reputation points

2023-08-07T17:25:16.8133333+00:00

Hi Srinivasan, Shridhar (Shridhar)

Apologies for keeping you wait. I had been away from work last week. I got a chance to test this scenario today and here is my observation

For existing VNET, you can deploy the VM, the policy didn't block the creation of the NIC/Public IP and NSG.

For new VNET the VM creation itself fails during the validation.

Adding screenshots for reference

Policy deployed to the scope of RG :

VM creation to an existing VNet in the same RG succeeds:

VM creation to a new RG fails as the policy blocks creation of VNET.

I hope this clarifies your question. If this does answer your question, please accept it as the answer and upvote as a token of appreciation.

Prrudram-MSFT 25,881 Reputation points

2023-08-07T17:52:07.4733333+00:00

Hi Srinivasan, Shridhar (Shridhar)
Another interesting thing, I directly tried to create a NIC under the existing VNET through NIC blade from subscription->all services and that failed too. But during VM creation it didn't fail the creation of NIC. Hope this adds to your testing.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Tech-Hyd-1989 5,796 Reputation points

2023-07-14T10:29:02.86+00:00

Hello Srinivasan, Shridhar (Shridhar)

Yes, you would be able to create a virtual machine in the "myRG" resource group, even if the Azure policy you defined restricts the creation of "Microsoft.Network.virtualNetworks" resources.

The Azure policy you created and assigned to the "Tenant Root Group" is focused on preventing the creation of virtual networks (Microsoft.Network.virtualNetworks), not virtual machines (Microsoft.Compute/virtualMachines). Therefore, you can still create virtual machines within the resource group "myRG" as long as they comply with the policy's restrictions on virtual networks.

It's important to note that Azure policies are resource-level restrictions, and they don't block the creation of other resource types within the same resource group unless specifically defined in the policy.

So, in this scenario, you can proceed with creating a virtual machine in the "myRG" resource group without any issues, as the policy only applies to virtual networks.
Please sign in to rate this answer.
Shridhar Srinivasan 220 Reputation points

2023-07-20T11:58:49.93+00:00

I think during a VM creation, a VNet and Network Interface (NIC) creation are mandatory. Because of the Policy, won't VM creation be stopped ?

Joe Fulford 101 Reputation points Microsoft Employee

2023-08-09T16:37:16.8933333+00:00

As long as there is an existing vnet to attach it to, it would work. Otherwise, of course it will need to create a new one for the VM to sit in. With the policy assignment, it wouldn't work.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Luckman 0 Reputation points

2024-11-17T00:03:58.0433333+00:00

I have tested this myself

IF you are creating a VM and placing it into a NEW virtual network at (during the creation process), it will not work. This is because the policy ("Not allowed resources types”) blocks it.

IF you are creating a VM and placing it into an EXISTING virtual network (during the creation process), it will work.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Does, not allowed resource type "Microsoft.Network.virtualNetworks" stop me from creating a VM

3 answers

Your answer