Because somebody asked me: “how do I monitor on resources with a public IP address in Azure?”I started to look into Azure Resource Policies.

After looking into different possibilities, it seems to me that Azure Resource Policy would be the best option to fit my requirements. Please note, that Azure Resource Policies is still in public preview! Because of its added value this is one of those public previews to consider in your Azure environment.

To declare your custom policy all you have to do is just write a small piece of JSON code.
Then tell Azure Resource Policy what to do when a resource with a public IP is created in your subscription.

AzurePolicyJSON

To be able to just monitor I chose “audit” mode, when it’s not allowed to create a public IP in your subscription the mode must be set to “deny”.

If necessary, it’s possible to exclude this policy on a resource group.
With some lines of PowerShell it’s quite easy to create and assign a policy.

$definition = New-AzureRmPolicyDefinition -Name denyPublicIP -Description “Deny Public IP” -Policy “D:\Repository\ARM\ARM-Policys\NoPublicIP.json”

Policy

$rg = Get-AzureRmResourceGroup -Name “$RGName”
New-AzureRMPolicyAssignment -Name DenyPublicIP -Scope $rg.ResourceId -PolicyDefinition $definition

Assignement

 

Select the Standard tier to get a better overview of the compliance status of your resources.

StandardtierAzurePolicyWith the Free tier, you can only enforce policies at the creation of new resources. While with the Standard tier, you can also enforce them on existing resources to better understand your compliance state.

The final result the compliance status.

Compliant