我有同样的问题,我解决了如下:
{
"policyType": "Custom",
"mode": "All",
"displayName": "check_default_route_gateway_plus_default",
"policyRule": {
"if": {
"count": {
"field": "Microsoft.Network/routeTables/routes[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[parameters('DefaultGW')]"
},
{
"field": "Microsoft.Network/routeTables/routes[*].name",
"equals": "DEFAULT"
},
{
"field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
"equals": "0.0.0.0/0"
}
]
}
},
"notEquals": 1
},
"then": {
"effect": "deny"
}
},
"parameters": {
"DefaultGW": {
"type": "String",
"metadata": {
"displayName": "Default Gateway IP",
"description": "The default Gateway IP. It correspond to the Proxy IP"
},
"defaultValue": "PUT_HERE_THE_IP_OF_YOUR_APPLIANCE"
}
}
}
此策略将失败,因为没有使用指向您的设备DEFAULT
的 addressPrefix调用默认路由。0.0.0.0/0
我花了一些时间才到达它,因为逻辑与我的预期行为相反。该策略在其表达式被评估为true时触发,而我认为它会触发然后评估为false。
实现它的一大帮助来自 VSCode 插件Azure Policy,您可以在其中交互式测试您的策略,而无需等待云延迟。
此外https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure对于查看所有策略结构很有用。