适用于虚拟网络的 Azure Policy 内置示例Azure policy sample built-ins for virtual network

下表包含 Azure Policy 示例的链接。The following table includes links to Azure Policy samples. 示例位于 Azure Policy 示例存储库中。The samples are found in the Azure Policy samples repository.

网络Network

名称Name 说明Description 效果Effect(s) 版本Version SourceSource
必须将自定义 IPsec/IKE 策略应用到所有 Azure 虚拟网络网关连接A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections 此策略可确保所有 Azure 虚拟网络网关连接均使用自定义 Internet 协议安全 (Ipsec)/Internet 密钥交换 (IKE) 策略。This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. 支持的算法和密钥强度 - https://aka.ms/AA62kb0Supported algorithms and key strengths - https://aka.ms/AA62kb0 Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub
Azure VPN 网关不应使用“基本”SKUAzure VPN gateways should not use 'basic' SKU 此策略可确保 VPN 网关不使用“基本”SKU。This policy ensures that VPN gateways do not use 'basic' SKU. Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
容器注册表应使用虚拟网络服务终结点Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview GitHubGitHub
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
创建虚拟网络时部署网络观察程序Deploy network watcher when virtual networks are created 此策略在具有虚拟网络的区域中创建网络观察程序资源。This policy creates a network watcher resource in regions with virtual networks. 需确保存在名为 networkWatcherRG 的资源组,该资源组用于部署网络观察程序实例。You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 GitHubGitHub
事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的事件中心。This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub
不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 如果在网关子网中配置了网络安全组,则此策略会拒绝此配置。This policy denies if a gateway subnet is configured with a network security group. 将网络安全组分配到网关子网会导致网关停止运行。Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. denydeny 1.0.01.0.0 GitHubGitHub
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
网络接口应禁用 IP 转发Network interfaces should disable IP forwarding 此策略拒绝启用了 IP 转发的网络接口。This policy denies the network interfaces which enabled IP forwarding. IP 转发设置会禁止 Azure 在源和目标中检查网络接口。The setting of IP forwarding disables Azure's check of the source and destination for a network interface. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0 GitHubGitHub
网络接口不应使用公共 IPNetwork interfaces should not have public IPs 此策略拒绝配置了任何公共 IP 的网络接口。This policy denies the network interfaces which are configured with any public IP. 公共 IP 地址允许 Internet 资源以入站方式与 Azure 资源通信,并允许 Azure 资源以出站方式与 Internet 通信。Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0 GitHubGitHub
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExistsauditIfNotExists 1.0.01.0.0 GitHubGitHub
应阻止来自 Internet 的 RDP 访问RDP access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 RDP 访问的网络安全规则This policy audits any network security rule that allows RDP access from Internet Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub
应阻止来自 Internet 的 SSH 访问SSH access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 SSH 访问的网络安全规则This policy audits any network security rule that allows SSH access from Internet Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
存储帐户应使用虚拟网络服务终结点Storage Accounts should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的存储帐户。This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 GitHubGitHub
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0 GitHubGitHub
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub

TagsTags

名称Name 说明Description 效果Effect(s) 版本Version SourceSource
追加标记及其默认值Append tag and its default value 创建或更新任何缺少此标记的资源时追加指定的标记和值。Appends the specified tag and value when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 不要应用到资源组。Does not apply to resource groups. 可以使用新的“modify”效果策略来支持对现有资源中的标记进行修正 (请参阅 https://aka.ms/modifydoc) 。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). appendappend 1.0.01.0.0 GitHubGitHub
将标记及其默认值追加到资源组Append tag and its default value to resource groups 创建或更新任何缺少此标记的资源组时追加指定的标记和值。Appends the specified tag and value when any resource group which is missing this tag is created or updated. 在更改这些资源组之前,请不要修改应用此策略之前创建的资源组的标记。Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. 可以使用新的“modify”效果策略来支持对现有资源中的标记进行修正 (请参阅 https://aka.ms/modifydoc) 。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). appendappend 1.0.01.0.0 GitHubGitHub
从资源组追加标记及其值Append tag and its value from the resource group 创建或更新任何缺少此标记的资源时,从资源组追加指定的标记及其值。Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 可以使用新的“modify”效果策略来支持对现有资源中的标记进行修正 (请参阅 https://aka.ms/modifydoc) 。New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). appendappend 1.0.01.0.0 GitHubGitHub
需要指定的标记Require specified tag 强制要求存在某个标记。Enforces existence of a tag. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.01.0.0 GitHubGitHub
要求资源组中存在指定的标记Require specified tag on resource groups 强制要求资源组中存在某个标记。Enforces existence of a tag on resource groups. denydeny 1.0.01.0.0 GitHubGitHub
需要标记及其值Require tag and its value 强制执行所需的标记及其值。Enforces a required tag and its value. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.01.0.0 GitHubGitHub
要求资源组中存在标记及其值Require tag and its value on resource groups 强制要求资源组中存在所需的标记及其值。Enforces a required tag and its value on resource groups. denydeny 1.0.01.0.0 GitHubGitHub

常规General

名称Name 说明Description 效果Effect(s) 版本Version SourceSource
允许的位置Allowed locations 通过此策略,可限制组织在部署资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. 排除资源组、Microsoft.AzureActiveDirectory/b2cDirectories 以及使用“全局”区域的资源。Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. denydeny 1.0.01.0.0 GitHubGitHub
允许的资源组位置Allowed locations for resource groups 通过此策略,可限制组织可以创建资源组的位置。This policy enables you to restrict the locations your organization can create resource groups in. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. denydeny 1.0.01.0.0 GitHubGitHub
允许的资源类型Allowed resource types 此策略可用于指定组织可以部署的资源类型。This policy enables you to specify the resource types that your organization can deploy. 只有支持“tags”和“location”的资源类型才会受此策略影响。Only resource types that support 'tags' and 'location' will be affected by this policy. 若要限制所有资源,请复制此策略并将“mode”更改为“All”。To restrict all resources please duplicate this policy and change the 'mode' to 'All'. denydeny 1.0.01.0.0 GitHubGitHub
审核资源位置是否匹配资源组位置Audit resource location matches resource group location 审核资源位置是否与其资源组位置匹配。Audit that the resource location matches its resource group location auditaudit 1.0.01.0.0 GitHubGitHub
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, 已禁用Audit, Disabled 1.0.01.0.0 GitHubGitHub
不应存在自定义订阅所有者角色Custom subscription owner roles should not exist 此策略确保不存在自定义订阅所有者角色。This policy ensures that no custom subscription owner roles exist. Audit, 已禁用Audit, Disabled 1.0.01.0.0 GitHubGitHub
不允许的资源类型Not allowed resource types 此策略可用于指定组织无法部署的资源类型。This policy enables you to specify the resource types that your organization cannot deploy. 拒绝Deny 1.0.01.0.0 GitHubGitHub