修复Azure存储帐户的网络限制策略 [英] Remediation for Network restriction policy of Azure Storage account

查看：73 发布时间：2021/4/13 19:21:24 azure azure-storage azure-policy

本文介绍了修复Azure存储帐户的网络限制策略的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我具有用于存储帐户应限制网络访问"的定义文件.我想在现有存储帐户上运行此策略，如果不符合要求，则更改网络访问权限(删除公共访问权限+分配一个子集).如何作为本政策的一部分创建此补救措施?

 "properties":{"displayName":对公共网络开放的审核存储帐户"，"policyType":自定义"，"mode":"Indexed"，" description":此政策可确保对暴露于公共网络的存储帐户进行审核."，"parameters":{}，"policyRule":{如果":{"allOf":[{字段":类型"，等于":"Microsoft.Storage/storageAccounts"}，{字段":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction"，等于":允许"；等于"；等于"；等于".}]}，然后":{效果":审核"；}}}

解决方案

如果要通过Azure策略将VNET分配给存储帐户，则可以使用效果 DeployIfNotExist 来实现.例如

我的定义文件.请注意，在示例中，您使用现有的子网.如果要创建新的子网，请参考

解决方案

If you want to assign VNET to the storage account with Azure Policy, you can use effect DeployIfNotExist to implement it. For example

My definition file. Please note that in the sample, you use an existing Subnet. If you want to create a new subnet, please refer to the template

{
  "properties": {
    "displayName": "storage3",
    "policyType": "Custom",
    "mode": "All",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Storage/storageAccounts",
          "name": "[field('name')]",
          "existenceCondition": {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "equals": "Deny"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "sku": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "kind": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('name')]",
                    "type": "Microsoft.Storage/storageAccounts",
                    "apiVersion": "2019-06-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "networkAcls": {
                        "bypass": "AzureServices",
                        "virtualNetworkRules": [
                          {
                            "id": "",
                            "action": "Allow"
                          }
                        ],
                        "ipRules": [],
                        "defaultAction": "Deny"
                      }
                    },
                    "dependsOn": [],
                    "sku": {
                      "name": "[parameters('sku')]"
                    },
                    "kind": "[parameters('kind')]"
                  }
                ]
              },
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "sku": {
                  "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "kind": {
                  "value": "[field('kind')]"
                }
              }
            }
          }
        }
      }
    }
  }
}

For more details, please refer to

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#grant-access-from-a-virtual-network

这篇关于修复Azure存储帐户的网络限制策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

修复Azure存储帐户的网络限制策略 [英] Remediation for Network restriction policy of Azure Storage account

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

修复Azure存储帐户的网络限制策略 [英] Remediation for Network restriction policy of Azure Storage account

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭