我正在嘗試創建一個天藍色策略來審核我的 NSG。
我需要驗證我的 NSG 是否包含來源和目標匹配且均為 IP 位址的規則(因此不是「虛擬機器」)
我目前有以下內容:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"match": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix",
"match": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
"equals": "Inbound"
}
]
}
},
"notEquals": 1
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
然而,這表明我的所有 NSG 都不合規,儘管我知道其中一些是不合規的。
這可能嗎?
先致謝