AddExclusionListToPolicy #1731
Merged
AddExclusionListToPolicy #1731
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@Springstone please fix this for me :-) |
Springstone
requested changes
Aug 19, 2024
There was a problem hiding this comment.
Great contribution. Couple of small things, and please can you also update "Whatsnew.md" in the wiki under the Policy Refresh section to include a short description on what you changed.
Once you've changed the policy version, please re-run the policy build script.
src/resources/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub.json
Outdated
Show resolved
Hide resolved
|
@Springstone - I have added the changes to the parameters as requested and updated the Whats New page and run the build command again. |
Springstone
added
the
PR: Safe to test 🧪
Springstone
approved these changes
Aug 21, 2024
jtracey93
approved these changes
Aug 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview/Summary
The pull request being submitted is for a policy update to Deny vNet peering to other subscriptions, this update includes a new parameter to allow for vnets in other subscriptions.
This PR fixes/adds/changes/removes
Breaking Changes
Testing Evidence
I carried out tests in my test subscription with 4 vnets, 2 were in the same subscription and the other 2 were in another subscription. vNet 1 & 3 sit in Subscription 1 and vNet 2 & 4 sit in Subscription 2. Both subscription sit under the bex19 management group scope.
Here you will see the policy has been assigned to the bex19 management group scope, this is where the vnets also sit.
You can then see the parameters I have passed in the policy for vNet 1 & 2 to be allowed to peer, you can see the subscription ID is different in the screenshot:
Here I am trying to create a peering between vNet 3 & 4, you will see it fails as neither of the vNets are in the allowed list and they are both in different subscriptions:
Here I have created a peering between vNet 1 & 3, you will see it is successful as they are both in the same subscription:
Here I have created a peering between vNet 2 & 4, you will see it is successful as they are both in the same subscription:
Here I have created a peering between vNet 1 & 2, you will see it is successful as they are both in the allowed list:
Here I am trying to create a peering between vNet 1 & 4, you will see it fails because only vNet 1 is in the allowed list and vNet 4 isn't, so it is only allowing the peering one way:
The below URLs can be updated where the placeholders are, look for
BeckysBranchALZ-07-08-24&BeckysBranchALZ-07-08-24, to allow you to test your portal deployment experience.Azure Public
As part of this Pull Request I have
mainbranch/docs/wiki/whats-new.md)