Azure RBAC限制访问权限以仅使用现有网络创建VM [英] Azure RBAC restrict access to create VM's only using existing networks

问题描述

您好，我们试图通过允许用户创建虚拟机，而不限制用户更改NSG规则或创建其他网络的方式，在Azure vNet和NSG设计中实现一些安全性.

Hi there were trying to implement some security in our Azure vNet and NSG design by allowing users to create VM's only without and restricting them from changing NSG rules or creating additional networks.

我们这样做的理由是IT将为Azure订阅预定义vNet和NSG，并且我们希望允许总线创建VM等.但是，当我们授予RBAC虚拟机贡献者"时，我们发现它不起作用我们得到一个错误 根据进一步研究，如果没有"NIC，VNET，IP，NSG和存储帐户"，则在创建VM时会出现该错误.已经为VM定义了，将无法正常工作.

Our rationale behind this is IT will predefine the vNets and NSGs for the Azure subscription and we want to allow the bus to create VM's etc. However when we granted the RBAC "Virtual machine contributor" we found it doesn't work we get an error upon further research it appears when creating the VM if there's no " NIC, VNET, IP, NSG and Storage Account" already defined for the VM it won't work.

因此，任何专家都可以建议如何解决此问题，同时允许用户创建VM.或者，有一个选项可以在允许wg时将NSG配置限制为选定的用户.虚拟机贡献者可以毫不费力地创建VM.

So can any experts suggest how to address this with while allowing users to create VM. Alternatively is there an option to restrict NSG configuration to selected users while letting wg. Virtual machine contributers create VM with minimal fuss.

我们的要求很简单，即允许用户根据需要创建VM，但限制NSG规则配置-我们希望确保应用正确的规则，并将由IT进行管理.

Our requirement is simple let users create VM's as needed but restrict NSG rule configuration - we want to ensure the correct ruls are applied and this will be managed by IT.

莫莫

推荐答案

您是否考虑过资源策略?https://docs.microsoft.com/en-us/azure/azure-policy/json-samples

您可以使用if/else语句创建自定义策略，以指定必须用于新VM等的NSG.

You could create a custom policy with if/else statements to specify the NSG that has to be used for new VMs etc.

Joe

这篇关于Azure RBAC限制访问权限以仅使用现有网络创建VM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！