|
| 1 | +--- |
| 2 | +title: Prevent overlapping VNet address spaces using Azure Policy and IPAM |
| 3 | +description: |
| 4 | +author: mbender-ms |
| 5 | +ms.author: mbender |
| 6 | +ms.service: azure-virtual-network-manager |
| 7 | +ms.topic: concept-article |
| 8 | +ms.date: 03/10/2023 |
| 9 | +ms.custom: template-concept |
| 10 | +--- |
| 11 | + |
| 12 | +# Prevent overlapping VNet address spaces using Azure Policy and IPAM |
| 13 | + |
| 14 | +Azure Virtual Network Manager helps you centrally manage virtual networks (VNets) across your organization. While it provides governance for VNets, it doesn't automatically prevent overlapping address spaces during VNet creation or updates. You can enforce non-overlapping address spaces by combining Azure Policy with IP Address Management (IPAM) pools, ensuring network connectivity without IP conflicts in your environment. |
| 15 | + |
| 16 | + The following sample Azure policy definition ensures that any virtual network (Microsoft.Network/virtualNetworks) must have at least one IPAM pool prefix allocation from one of the two specified pools. If a virtual network lacks an allocation from either pool, the policy denies the deployment or update of that resource. This enforces VNets with only non-overlapped CIDRs can be created in the scope of this policy definition. |
| 17 | + |
| 18 | +so the tutorial shows the policy definition |
| 19 | + |
| 20 | +once this policy definition is applied to an Azure policy scope like subscription/management group, then it's enforced on the scope |
| 21 | + |
| 22 | + |
| 23 | +```json |
| 24 | +"mode": "All", |
| 25 | + |
| 26 | + "parameters": {}, |
| 27 | + |
| 28 | + "policyRule": { |
| 29 | + |
| 30 | + "if": { |
| 31 | + |
| 32 | + "allOf": [ |
| 33 | + |
| 34 | + { |
| 35 | + |
| 36 | + "field": "type", |
| 37 | + |
| 38 | + "equals": "Microsoft.Network/virtualNetworks" |
| 39 | + |
| 40 | + } |
| 41 | + |
| 42 | + { |
| 43 | + |
| 44 | + "not": { |
| 45 | + |
| 46 | + "anyOf": [ |
| 47 | + |
| 48 | + { |
| 49 | + |
| 50 | + "field": "Microsoft.Network/virtualnetworks/addressSpace.ipamPoolPrefixAllocations[*].pool.id", |
| 51 | + |
| 52 | + "equals": "/subscriptions/c9295b92-3574-4021-95a1-26c8f74f8359/resourceGroups/ipam-test-rg/providers/Microsoft.Network/networkManagers/ipam-test-nm/ipamPools/paigePolicyTestPool2" |
| 53 | + |
| 54 | + }, |
| 55 | + |
| 56 | + { |
| 57 | + |
| 58 | + "field": "Microsoft.Network/virtualnetworks/addressSpace.ipamPoolPrefixAllocations[*].pool.id", |
| 59 | + |
| 60 | + "equals": "/subscriptions/c9295b92-3574-4021-95a1-26c8f74f8359/resourceGroups/ipam-test-rg/providers/Microsoft.Network/networkManagers/ipam-test-nm/ipamPools/paigePolicyTestPool3" |
| 61 | + |
| 62 | + } |
| 63 | + |
| 64 | + ] |
| 65 | + |
| 66 | + } |
| 67 | + |
| 68 | + } |
| 69 | + |
| 70 | + ] |
| 71 | + |
| 72 | + }, |
| 73 | + |
| 74 | + "then": { |
| 75 | + |
| 76 | + "effect": "deny" |
| 77 | + |
| 78 | + } |
| 79 | + |
| 80 | + } |
| 81 | +``` |
| 82 | + |
| 83 | +This Azure Policy blocks the creation or update of a virtual network unless it includes an IPAM pool allocation from one of two approved pools. It works as follows: |
| 84 | + |
| 85 | +Resource Check: It applies only to virtual networks (Microsoft.Network/virtualNetworks). |
| 86 | + |
| 87 | +Pool Allocation Check: It verifies if the virtual network has an IPAM pool allocation from either: |
| 88 | + |
| 89 | +paigePolicyTestPool2, or |
| 90 | + |
| 91 | +paigePolicyTestPool3. |
| 92 | + |
| 93 | +Enforcement: If neither allocation is present, the policy denies the action. And in order to have pool allocation, IP prefixes must be non-overlapped within the pool, as such no VNets with overlapped prefixes can be created. |
| 94 | + |
| 95 | +## Next steps |
| 96 | +- [Create a virtual network using Azure CLI](../quickstart-create-vnet-cli.md) |
0 commit comments