Share via

Need help on azure policy for Virtual network Subnet Creation

Rajnish Soni 40 Reputation points
2025-01-29T11:19:35.4333333+00:00

I want to create a policy where is the Virtual Network subnet prefix is less then /24 then the policy should block the subnet creation. I have below sample policy but it is not working. Can you please help.

{
 
"displayName"
"policyType"
"mode"
"description"
"metadata"
"version"
"category"
 },
"version"
"parameters"
"effect"
"type"
"metadata"
"displayName"
"description"
 },
"allowedValues"
"audit"
"Audit"
"deny"
"Deny"
"disabled"
"Disabled"
 ],
"defaultValue"
 }
 },
"policyRule"
"if"
"allOf"
 {
"field"
"equals"
 },
 {
"value"
"notIn"
 }
 ]
 },
"then"
"effect"
 }
 }
 }
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
956 questions
Accepted answer
  1. Sina Salam 17,176 Reputation points
    2025-01-29T17:28:11.7033333+00:00

    Hello Rajnish Soni,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you need help on azure policy for Virtual network Subnet Creation.

    This is a corrected version of the policy that should block the creation of a Virtual Network subnet with a prefix length less than /24:

    {
  "properties": {
    "displayName": "Deny Subnet Prefix Less Than /24",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of a Virtual Network subnet with a prefix length less than /24.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/24"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/25"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/26"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/27"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/28"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/29"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
            "notLike": "*/30"
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  }
}

    This policy checks if the subnet prefix length is not like /24, /25, /26, /27, /28, /29, or /30, and if it matches any of these conditions, it denies the creation of the subnet.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.