Azure Policy built-in definitions for Azure networking services

This page is an index of Azure Policy built-in policy definitions for Azure networking services. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure networking services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. DeployIfNotExists, Disabled 1.0.1-preview
[Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. Audit, Deny, Disabled 1.0.0-preview
[Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Audit, Deny, Disabled 1.1.0-preview
[Preview]: Public IP Prefixes should be Zone Resilient Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Virtual network gateways should be Zone Redundant Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. Audit, Deny, Disabled 1.0.0-preview
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 Audit, Disabled 1.0.0
All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Azure Application Gateway should be deployed with Azure WAF Requires Azure Application Gateway resources to be deployed with Azure WAF. Audit, Deny, Disabled 1.0.0
Azure Application Gateway should have Resource logs enabled Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Firewall Classic Rules should be migrated to Firewall Policy Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. Audit, Deny, Disabled 1.0.0
Azure Firewall Policy Analytics should be Enabled Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance Audit, Disabled 1.0.0
Azure Firewall Policy should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Audit, Deny, Disabled 1.0.0
Azure Firewall Policy should have DNS Proxy Enabled Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server Audit, Disabled 1.0.0
Azure Firewall should be deployed to span multiple Availability Zones For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. Audit, Deny, Disabled 1.0.0
Azure Firewall Standard - Classic Rules should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Audit, Deny, Disabled 1.0.0
Azure Firewall Standard should be upgraded to Premium for next generation protection If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. Audit, Deny, Disabled 1.0.0
Azure Front Door should have Resource logs enabled Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure VPN gateways should not use 'basic' SKU This policy ensures that VPN gateways do not use 'basic' SKU. Audit, Disabled 1.0.0
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Audit, Deny, Disabled 1.0.0
Bot Protection should be enabled for Azure Application Gateway WAF This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies Audit, Deny, Disabled 1.0.0
Configure a private DNS Zone ID for blob groupID Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for blob_secondary groupID Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for dfs groupID Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for dfs_secondary groupID Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for file groupID Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for queue groupID Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for queue_secondary groupID Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for table groupID Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for table_secondary groupID Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. DeployIfNotExists, Disabled 1.0.1
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cognitive Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://docs.azure.cn/databricks/administration-guide/cloud-configurations/azure/private-link-standard#create-the-workspace-and-private-endpoints-in-the-azure-portal-ui. DeployIfNotExists, Disabled 1.0.1
Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). DeployIfNotExists, Disabled 1.1.0
Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://docs.azure.cn/hdinsight/hdinsight-private-link. DeployIfNotExists, Disabled 1.0.0
Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://docs.azure.cn/key-vault/general/private-link-service. DeployIfNotExists, Disabled 1.0.1
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.azure.cn/machine-learning/how-to-network-security-overview. DeployIfNotExists, Disabled 1.1.0
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://docs.azure.cn/media-services/latest/security-private-endpoint-concept. DeployIfNotExists, Disabled 1.0.0
Configure Azure Media Services with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/media-services/latest/security-private-endpoint-concept. DeployIfNotExists, Disabled 1.0.0
Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 1.0.0
Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. DeployIfNotExists, Disabled 1.0.0
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. DeployIfNotExists, Disabled 2.0.0
Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 1.0.0
Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 1.0.0
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://docs.azure.cn/cognitive-services/cognitive-services-virtual-networks. DeployIfNotExists, Disabled 1.0.0
Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns and https://docs.azure.cn/container-registry/container-registry-private-link. DeployIfNotExists, Disabled 1.0.1
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. DeployIfNotExists, Disabled 2.0.0
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. DeployIfNotExists, Disabled 1.0.0
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. DeployIfNotExists, Disabled 1.0.0
Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.azure.cn/event-hubs/private-link-service. DeployIfNotExists, Disabled 1.0.0
Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://docs.azure.cn/iot-dps/virtual-network-support. DeployIfNotExists, Disabled 1.0.0
Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.2.0
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.2.0
Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.azure.cn/data-factory/data-factory-private-link. DeployIfNotExists, Disabled 1.0.0
Configure Private Link for Azure AD to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://docs.azure.cn/private-link/private-link-overview. DeployIfNotExists, Disabled 1.0.0
Configure Service Bus namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.azure.cn/service-bus-messaging/private-link-service. DeployIfNotExists, Disabled 1.0.0
Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.1.1
Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.1.2
Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. deployIfNotExists, DeployIfNotExists, Disabled 1.1.0
Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. deployIfNotExists, DeployIfNotExists, Disabled 1.1.0
Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. deployIfNotExists, DeployIfNotExists, disabled, Disabled 1.1.0
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://docs.azure.cn/azure-signalr/howto-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.azure.cn/batch/private-connectivity. DeployIfNotExists, Disabled 1.0.0
Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. deployIfNotExists 1.1.0
Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. DeployIfNotExists, Disabled 1.1.1
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 2.0.1
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Migrate WAF from WAF Config to WAF Policy on Application Gateway If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. Audit, Deny, Disabled 1.0.0
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. deny 1.0.0
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. deny 1.0.0
Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Audit, Disabled 1.0.1
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Public IPs and Public IP prefixes should have FirstPartyUsage tag Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. Audit, Deny, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Subnets should be private Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://docs.azure.cn/virtual-network/ip-services/default-outbound-access Audit, Deny, Disabled 1.0.0
Virtual Hubs should be protected with Azure Firewall Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. Audit, Deny, Disabled 1.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.azure.cn/vpn-gateway/openvpn-azure-ad-tenant Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Audit, Deny, Disabled 1.0.0

Next steps