Azure 虚拟网络的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Virtual Network

此页是 Azure 虚拟网络的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Virtual Network. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure 虚拟网络Azure Virtual Network

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
必须将自定义 IPsec/IKE 策略应用到所有 Azure 虚拟网络网关连接A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections 此策略可确保所有 Azure 虚拟网络网关连接均使用自定义 Internet 协议安全 (Ipsec)/Internet 密钥交换 (IKE) 策略。This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. 支持的算法和密钥强度 - https://docs.azure.cn/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policySupported algorithms and key strengths - https://docs.azure.cn/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policy Audit、DisabledAudit, Disabled 1.0.01.0.0
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure VPN 网关不应使用“基本”SKUAzure VPN gateways should not use 'basic' SKU 此策略可确保 VPN 网关不使用“基本”SKU。This policy ensures that VPN gateways do not use 'basic' SKU. Audit、DisabledAudit, Disabled 1.0.01.0.0
[预览]:容器注册表应使用虚拟网络服务终结点[Preview]: Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
使用目标网络安全组来部署流日志资源Deploy a flow log resource with target network security group 配置特定网络安全组的流日志。Configures flow log for specific network security group. 使用流日志,可以记录有关流经网络安全组的 IP 流量的信息。It will allow to log information about IP traffic flowing through an network security group. 流日志有助于识别未知或不需要的流量、验证网络隔离以及是否符合企业访问规则,并分析来自已被入侵的 IP 和网络接口的网络流量。Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
创建虚拟网络时部署网络观察程序Deploy network watcher when virtual networks are created 此策略在具有虚拟网络的区域中创建网络观察程序资源。This policy creates a network watcher resource in regions with virtual networks. 需确保存在名为 networkWatcherRG 的资源组,该资源组用于部署网络观察程序实例。You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的事件中心。This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为每个网络安全组配置流日志Flow logs should be configured for every network security group 审核网络安全组以验证是否配置了流日志。Audit for network security groups to verify if flow logs are configured. 启用流日志可以记录有关流经网络安全组的 IP 流量的信息。Enabling flow logs allows to log information about IP traffic flowing through network security group. 该功能可用于优化网络流、监视吞吐量、验证合规性、检测入侵情况等。It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit、DisabledAudit, Disabled 1.1.01.1.0
应为每个网络安全组启用流日志Flow logs should be enabled for every network security group 审核流日志资源以验证是否启用了流日志状态。Audit for flow log resources to verify if flow log status is enabled. 启用流日志可以记录有关流经网络安全组的 IP 流量的信息。Enabling flow logs allows to log information about IP traffic flowing through network security group. 该功能可用于优化网络流、监视吞吐量、验证合规性、检测入侵情况等。It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit、DisabledAudit, Disabled 1.0.01.0.0
不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 如果在网关子网中配置了网络安全组,则此策略会拒绝此配置。This policy denies if a gateway subnet is configured with a network security group. 将网络安全组分配到网关子网会导致网关停止运行。Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. denydeny 1.0.01.0.0
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
网络接口应禁用 IP 转发Network interfaces should disable IP forwarding 此策略拒绝启用了 IP 转发的网络接口。This policy denies the network interfaces which enabled IP forwarding. IP 转发设置会禁止 Azure 在源和目标中检查网络接口。The setting of IP forwarding disables Azure's check of the source and destination for a network interface. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0
网络接口不应使用公共 IPNetwork interfaces should not have public IPs 此策略拒绝配置了任何公共 IP 的网络接口。This policy denies the network interfaces which are configured with any public IP. 公共 IP 地址允许 Internet 资源以入站方式与 Azure 资源通信,并允许 Azure 资源以出站方式与 Internet 通信。Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应阻止来自 Internet 的 RDP 访问RDP access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 RDP 访问的网络安全规则This policy audits any network security rule that allows RDP access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应阻止来自 Internet 的 SSH 访问SSH access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 SSH 访问的网络安全规则This policy audits any network security rule that allows SSH access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0
存储帐户应使用虚拟网络服务终结点Storage Accounts should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的存储帐户。This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
虚拟网络应受 Azure DDoS 防护标准保护Virtual networks should be protected by Azure DDoS Protection Standard 使用 Azure DDoS 防护标准来保护虚拟网络免受容量耗尽攻击和协议攻击。Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. 有关详细信息,请访问 https://aka.ms/ddosprotectiondocsFor more information, visit https://aka.ms/ddosprotectiondocs. Modify、Audit、DisabledModify, Audit, Disabled 1.0.01.0.0
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

TagsTags

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
将标记添加到资源组Add a tag to resource groups 创建或更新任何缺少此标记的资源组时添加指定的标记和值。Adds the specified tag and value when any resource group missing this tag is created or updated. 可以通过触发修正任务来修正现有资源组。Existing resource groups can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
将标记添加到资源Add a tag to resources 创建或更新任何缺少此标记的资源时添加指定的标记和值。Adds the specified tag and value when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. 而不会修改资源组上的标记。Does not modify tags on resource groups. modifymodify 1.0.01.0.0
向订阅添加标记Add a tag to subscriptions 通过修正任务将指定的标记和值添加到订阅。Adds the specified tag and value to subscriptions via a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. 有关策略修正的详细信息,请参阅 https://aka.ms/azurepolicyremediationSee https://aka.ms/azurepolicyremediation for more information on policy remediation. modifymodify 1.0.01.0.0
在资源组中添加或替换标记Add or replace a tag on resource groups 创建或更新任何资源组时添加或替换指定的标记和值。Adds or replaces the specified tag and value when any resource group is created or updated. 可以通过触发修正任务来修正现有资源组。Existing resource groups can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
在资源中添加或替换标记Add or replace a tag on resources 创建或更新任何资源时添加或替换指定的标记和值。Adds or replaces the specified tag and value when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 而不会修改资源组上的标记。Does not modify tags on resource groups. modifymodify 1.0.01.0.0
在订阅上添加或替换标记Add or replace a tag on subscriptions 通过修正任务在订阅上添加或替换指定的标记和值。Adds or replaces the specified tag and value on subscriptions via a remediation task. 可以通过触发修正任务来修正现有资源组。Existing resource groups can be remediated by triggering a remediation task. 有关策略修正的详细信息,请参阅 https://aka.ms/azurepolicyremediationSee https://aka.ms/azurepolicyremediation for more information on policy remediation. modifymodify 1.0.01.0.0
追加资源组的标记及其值Append a tag and its value from the resource group 创建或更新任何缺少此标记的资源时,从资源组追加指定的标记及其值。Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.01.0.0
将标记及其值追加到资源组Append a tag and its value to resource groups 创建或更新任何缺少此标记的资源组时追加指定的标记和值。Appends the specified tag and value when any resource group which is missing this tag is created or updated. 在更改这些资源组之前,请不要修改应用此策略之前创建的资源组的标记。Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.01.0.0
将标记及其值追加到资源Append a tag and its value to resources 创建或更新任何缺少此标记的资源时追加指定的标记和值。Appends the specified tag and value when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 不要应用到资源组。Does not apply to resource groups. 新的“modify”效果策略已可供使用,这些策略支持对现有资源中的标记进行修正(请参阅 https://docs.azure.cn/governance/policy/concepts/effects#modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). appendappend 1.0.11.0.1
从资源组继承标记Inherit a tag from the resource group 创建或更新任何资源时,添加或替换父资源组中指定的标记和值。Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
从资源组继承标记(如果缺少此标记)Inherit a tag from the resource group if missing 创建或更新任何缺少此标记的资源时,从父资源组添加指定的标记及其值。Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
从订阅继承标记Inherit a tag from the subscription 创建或更新任何资源时,添加或替换包含订阅中指定的标记和值。Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0
从订阅继承标记(如果缺少)Inherit a tag from the subscription if missing 创建或更新任何缺少此标记的资源时,从包含订阅添加指定的标记及其值。Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0
需要资源组上的标记及其值Require a tag and its value on resource groups 强制要求资源组中存在所需的标记及其值。Enforces a required tag and its value on resource groups. denydeny 1.0.01.0.0
需要资源上的标记及其值Require a tag and its value on resources 强制执行所需的标记及其值。Enforces a required tag and its value. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.11.0.1
需要资源组上的标记Require a tag on resource groups 强制要求资源组中存在某个标记。Enforces existence of a tag on resource groups. denydeny 1.0.01.0.0
需要资源上的标记Require a tag on resources 强制要求存在某个标记。Enforces existence of a tag. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.11.0.1

常规General

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
允许的位置Allowed locations 通过此策略,可限制组织在部署资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. 排除资源组、Microsoft.AzureActiveDirectory/b2cDirectories 以及使用“全局”区域的资源。Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. denydeny 1.0.01.0.0
允许的资源组位置Allowed locations for resource groups 通过此策略,可限制组织可以创建资源组的位置。This policy enables you to restrict the locations your organization can create resource groups in. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. denydeny 1.0.01.0.0
允许的资源类型Allowed resource types 此策略可用于指定组织可以部署的资源类型。This policy enables you to specify the resource types that your organization can deploy. 只有支持“tags”和“location”的资源类型才会受此策略影响。Only resource types that support 'tags' and 'location' will be affected by this policy. 若要限制所有资源,请复制此策略并将“mode”更改为“All”。To restrict all resources please duplicate this policy and change the 'mode' to 'All'. denydeny 1.0.01.0.0
审核资源位置是否匹配资源组位置Audit resource location matches resource group location 审核资源位置是否与其资源组位置匹配。Audit that the resource location matches its resource group location 审核audit 2.0.02.0.0
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
不应存在自定义订阅所有者角色Custom subscription owner roles should not exist 此策略确保不存在自定义订阅所有者角色。This policy ensures that no custom subscription owner roles exist. Audit、DisabledAudit, Disabled 2.0.02.0.0
不允许的资源类型Not allowed resource types 限制可以在环境中部署的资源类型。Restrict which resource types can be deployed in your environment. 限制资源类型可以降低环境的复杂性和攻击面,同时也有助于管理成本。Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. 仅显示不符合要求的资源的符合性结果。Compliance results are only shown for non-compliant resources. Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0

后续步骤Next steps