-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNetwork.csv
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 1.
108 lines (108 loc) · 36.4 KB
/
Network.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
"DisplayName";"Description";"Path"
"Subscription should configure the Azure Firewall Premium to provide additional layer of protection";"Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json"
"Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium";"Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json"
"Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows";"Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json"
"Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)";"Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json"
"Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection";"Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json"
"Azure firewall policy should enable TLS inspection within application rules";"Enabling TLS inspection is recommended for all application rules to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json"
"Web Application Firewall (WAF) should enable all firewall rules for Application Gateway";"Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json"
"Virtual machines should be connected to an approved virtual network";"This policy audits any virtual machine connected to a virtual network that is not approved.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json"
"[Preview]: All Internet traffic should be routed via your deployed Azure Firewall";"Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json"
"Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace";"Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/DataConnectorsAzureNSG_Deploy.json"
"Network interfaces should disable IP forwarding";"This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkIPForwardingNic_Deny.json"
"Network interfaces should not have public IPs";"This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkPublicIPNic_Deny.json"
"Flow logs should be configured for every network security group";"Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json"
"Deploy a flow log resource with target network security group";"Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Deploy.json"
"Network Watcher flow logs should have traffic analytics enabled";"Traffic analytics analyzes Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_TrafficAnalytics_Audit.json"
"Configure network security groups to enable traffic analytics";"Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_TrafficAnalytics_Deploy.json"
"Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics";"If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_TrafficAnalytics_Update.json"
"Gateway subnets should not be configured with a network security group";"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json"
"Deploy network watcher when virtual networks are created";"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Deploy.json"
"Network Watcher should be enabled";"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json"
"Flow logs should be enabled for every network security group";"Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkWatcherFlowLog_Enabled_Audit.json"
"Virtual networks should use specified virtual network gateway";"This policy audits any virtual network if the default route does not point to the specified virtual network gateway.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json"
"Virtual networks should be protected by Azure DDoS Protection Standard";"Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkDdosStandard_Audit.json"
"App Service apps should use a virtual network service endpoint";"Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json"
"[Preview]: Container Registry should use a virtual network service endpoint";"This policy audits any Container Registry not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json"
"Cosmos DB should use a virtual network service endpoint";"This policy audits any Cosmos DB not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json"
"Event Hub should use a virtual network service endpoint";"This policy audits any Event Hub not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json"
"Key Vault should use a virtual network service endpoint";"This policy audits any Key Vault not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json"
"SQL Server should use a virtual network service endpoint";"This policy audits any SQL Server not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json"
"Storage Accounts should use a virtual network service endpoint";"This policy audits any Storage Account not configured to use a virtual network service endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json"
"VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users";"Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPN-AzureAD-audit-deny-disable-policy.json"
"Azure VPN gateways should not use 'basic' SKU";"This policy ensures that VPN gateways do not use 'basic' SKU.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_BasicSKU_Audit.json"
"A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections";"This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_CustomIpSecPolicies_Audit.json"
"Azure Web Application Firewall should be enabled for Azure Front Door entry-points";"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json"
"Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service";"Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json"
"Web Application Firewall (WAF) should be enabled for Application Gateway";"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json"
"Web Application Firewall (WAF) should use the specified mode for Application Gateway";"Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json"
"Address space must be pre-allocated for region";"This policy ensures that the address space allocated to a VNET has been pre-allocated for use within Azure, preventing peerings being utilised as an attack vector for null-routing traffic on the platform.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/address-space-should-be-pre-allocated-for-region/azurepolicy.json"
"Azure firewall policy should only allow user defined standard ports and FQDNs within network rules";"Enforce usage of user defined standard ports, protocols and destination addresses. This is a common requirement in many regulatory and industry compliance standards.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/allow-azurefirewallpolicy-user-defined-standard-ports-destiantionaddresses-within-network-rules/azurepolicy.json"
"Azure firewall policy should only allow user defined standard ports and FQDNs within application rules";"Enforce usage of user defined standard ports and FQDNs (default deny wildcard '*'). This is a common requirement in many regulatory and industry compliance standards.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/allow-azurefirewallpolicy-user-defined-standard-ports-fqdns-within-application-rules/azurepolicy.json"
"Allowed VM Images for Resource Groups containing a specific Suffix";"This Policy will prevent VM images not listed by this Policy from being deployed to Resource Groups containing a suffix that you define here.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/allowed-vm-images-for-resource-groups-containing-aspecific-suffix/azurepolicy.json"
"App Gateway can only have a VM's or VMSS in its backend pool.";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/app-gateways-can-only-have-vms-and-vmss-in-backend-pool/azurepolicy.json"
"Append NSG Rule";"This Policy will append a rule to newly deployed NSGs.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/append-nsg-rule/target-all-nsgs/azurepolicy.json"
"Append NSG Rule";"This Policy will append a rule to newly deployed NSGs.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/append-nsg-rule/target-all-nsgs-by-region/azurepolicy.json"
"Append NSG Rule";"This Policy will append a rule to newly deployed NSGs that contain a specificied suffix.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/append-nsg-rule/target-nsg-by-suffix/azurepolicy.json"
"Newly created subnets will be assigned a Route Table";"This policy applies a specific Route Table to every newly created Subnet. This Policy will look for the existence of a keyword in a subnet name to apply the Policy. This policy must partner with the policy 'append-route-table-to-subnet-during-vnet-creation-based-on-naming-convention' in order to fully work. Additionally this policy is parameterized to be able to target all regions where a route table exists.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/append-route-table-to-subnet-during-subnet-creation-based-on-naming-convention-and-region/azurepolicy.json"
"Newly created VNets will have certain subnets assigned a Route Table";"This policy applies a specific Route Table to subnets during VNet creation. This Policy will look for the existence of a keyword in a subnet name to apply the Policy. This policy must partner with the policy 'append-route-table-to-subnet-during-subnet-creation-based-on-naming-convention' in order to fully work. Additionally this policy is parameterized to be able to target all regions where a route table exists.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/append-route-table-to-subnet-during-vnet-creation-based-on-naming-convention-and-region/azurepolicy.json"
"Audit peering between two prefixes based on first octate";"This policy Audits peering between two prefixes based on first octate.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Audit peering between two prefixes based on first octate/azurepolicy.json"
"Audit for Application Gateway without HTTP Redirect";"This Policy looks to see if an HTTP listener exists. It then checks to see if a routing rule is configured for redirect. If a redirect is not detected then an audit is performed.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/audit-http-redirect-app-gateway/azurepolicy.json"
"Audit loadbalancers with public ip";"This policy audits if loadbalancers exists with public ip.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/audit-loadbalancers-with-publicip/azurepolicy.json"
"Audit unattached static Public IPs";"Static Public IPs incur cost even when not in use. This Policy will help you detect the existence of unattached static Public IPs in the effort to help drive down cost.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/audit-unattached-static-public-ips/azurepolicy.json"
"Block NSG Creations and Updates";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/block-nsg-creations-updates/azurepolicy.json"
"NSG rule ports without IP source";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/block-nsg-ports-without-ip-source/azurepolicy.json"
"Create NSG Rule";"This policy will append a rule to an NSG during creation or update. Only works during creation of the NSG or updates to the NSG as a whole due to the way the Resource Provider works.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/create-nsg-rule/azurepolicy.json"
"deny-app-gateway-only-allowed-in-approved-subnet";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-app-gateway-only-allowed-in-approved-subnet/azurepolicy.json"
"deny-app-gateways-cant-have-private-listener";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-app-gateways-cant-have-private-listener/azurepolicy.json"
"deny-changing-address-space-on-virtual-network";"deny-changing-address-space-on-virtual-network";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-changing-address-space-on-virtual-network/azurepolicy.json"
"deny-changing-vnet-dns-settings";"deny-changing-vnet-dns-settings";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-changing-vnet-dns-settings/azurepolicy.json"
"deny-creation-of-vnets-that-dont-follow-a-pre-defined-naming-convention";"deny-creation-of-vnets-that-dont-follow-a-pre-defined-naming-convention";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-creation-of-vnets-that-dont-follow-a-pre-defined-naming-convention/azurepolicy.json"
"deny-new-security-rules-with-source-any-adding-to-existing-nsgs";"deny-new-security-rules-with-source-any-adding-to-existing-nsgs";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-new-security-rules-with-source-any-adding-to-existing-nsgs/azurepolicy.json"
"Deny NICs from having public Ips when attached to subnets containing a defined suffix";"If a NIC is in a subnet that has the suffix defined in this Policy then a user will be unable to attach a public IP to that NIC.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-nics-from-having-public-ips-when-attached-to-subnets-containing-a-defined-suffix/azurepolicy.json"
"Deny NSG rule inbound from internet - Network Security Group";"This Policy will detect if an NSG rule would allow a port or set of ports to be accessed from outside of an IP whitelist. This will check Service Tags as well as Port Ranges. Example, if you specify port 22 in the parameter for this Policy, and only allow communications from 10.0.0.0/8, and someone creates a rule that allows ports 20-30 inbound from 20.x.x.x, this would be denied as 22 falls within that port range and 20.x.x.x is not on the IP whitelist. This Policy is part of a set of policies. Both must be applied for this to cover all possible ways an NSG rule can be created.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-nsg-rule-inbound-from-internet-can-check-if-port-is-present-in-range/network-security-group/azurepolicy.json"
"network-security-group-security-rules";"network-security-group-security-rules";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-nsg-rule-inbound-from-internet-can-check-if-port-is-present-in-range/network-security-group-security-rules/azurepolicy.json"
"deny-nsgs-with-rules-with-source-any";"deny-nsgs-with-rules-with-source-any";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-nsgs-with-rules-with-source-any/azurepolicy.json"
"VNet Peering is only allowed to approved VNets.";"If you try to peer to a VNet that's not on the list of approved VNets then the action will be denied.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-peering-to-non-approved-vnets/azurepolicy.json"
"deny-ports-nsg";"deny-ports-nsg";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-ports-nsg/azurepolicy.json"
"Deny Private Endpoints if not being deployed to a specific subnet";"This Policy will deny the creation of Private Endpoints if not within subnets that contain a key word.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-private-endpoint-if-not-in-specific-subnet/azurepolicy.json"
"deny-private-endpoint-in-specific-subnets-based-on-naming-convention";"deny-private-endpoint-in-specific-subnets-based-on-naming-convention";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-private-endpoint-in-specific-subnets-based-on-naming-convention/azurepolicy.json"
"Deny route with next hop type internet";"Deny route with next hop type internet to ensure data loss prevention. Both creating routes as a standalone resource or nested within their parent resource route table are considered.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-route-nexthopinternet/azurepolicy.json"
"Deny route with address prefix 0.0.0.0/0 not pointing to the virtual appliance";"Deny route with address prefix 0.0.0.0/0 not pointing to the virtual appliance. Both creating routes as a standalone resource or nested within their parent resource route table are considered.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-route-nexthopvirtualappliance/azurepolicy.json"
"deny-service-endpoints-on-subnets-based-on-naming-convention";"deny-service-endpoints-on-subnets-based-on-naming-convention";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-service-endpoints-on-subnets-based-on-naming-convention/azurepolicy.json"
"deny-subnet-delegation-on-subnets-containing-a-key-word";"deny-subnet-delegation-on-subnets-containing-a-key-word";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-subnet-delegation-on-subnets-containing-a-key-word/azurepolicy.json"
"deny-subnets-missing-suffix";"deny-subnets-missing-suffix";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-subnets-missing-suffix/azurepolicy.json"
"Deny VM creation in subnets that contain specified suffix";"This policy will deny the creation of VMs in subnets that contain a certain suffix.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-vm-creation-in-subnets-that-contain-a-specified-suffix/azurepolicy.json"
"deny-vm-vmss-and-load-balancer-from-subnet";"deny-vm-vmss-and-load-balancer-from-subnet";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-vm-vmss-and-load-balancer-from-subnet/azurepolicy.json"
"VMs not in a specific subnet cannot be part of a backend pool";;"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-vms-not-in-a-specific-subnet-from-being-part-of-a-backend-pool/azurepolicy.json"
"deny-vnet-creation-outside-of-resource-groups-based-on-a-naming-standard";"deny-vnet-creation-outside-of-resource-groups-based-on-a-naming-standard";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deny-vnet-creation-outside-of-resource-groups-based-on-a-naming-standard/azurepolicy.json"
"Deploy NSG rule";"This policy deploys a rule to an NSG.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Deploy NSG rule/azurepolicy.json"
"Deploy route to route tables";"This policy deploys a route to a route tables.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Deploy route to route tables/azurepolicy.json"
"Deploy NSG Flow Logs to Target Region";"This Policy will deploy NSG Flow Logs for a target region. You'll need to do a unique assignment of this Policy for each region you wish to enable NSG Flow Logs in. NSG Flow Logs require that the Storage Account used for logging be in the same region as the NSG you're enabling Flow Logs on.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deploy-nsg-flow-logs/azurepolicy.json"
"Create Private DNS Zone Virtual Network Link to Virtual Networks if not available";"Create Private DNS Zone Virtual Network Link to Virtual Networks if not available";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deploy-private-dnszone-vnet-link-to-vnets/azurepolicy.json"
"deploy-private-endpoint-private-dns-zone-link";"deploy-private-endpoint-private-dns-zone-link";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deploy-private-endpoint-private-dns-zone-link/azurepolicy.json"
"deploy-security-rule-to-existing-nsg";"deploy-security-rule-to-existing-nsg";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deploy-security-rule-to-existing-nsg/azurepolicy-parameters.json"
"Enforce network security groups to have a DENY RDP security rule.";"Enforce network security groups to have a DENY RDP security rule.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/deploy-security-rule-to-existing-nsg/azurepolicy.json"
"VMs in Resource Groups containing suffix must have NICs in Resource Groups with same suffix";"This Policy will require that VMs deployed into Resource Groups with a certain suffix also have their NICs deployed into Resource Groups with that same suffix.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/enforce-nic-exemption-rg/azurepolicy.json"
"Subnets must have an NSG and that NSG must have the same suffix as the subnet";"This Policy requires that all subnets have an NSG and that the provisioned NSG shares the same suffix as it's attached Subnet.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/enforce-subnets-must-have-nsg-and-nsg-must-have-same-suffix-as-subnet/azurepolicy.json"
"Enforce Firewall Policy DNS servers";"This policy prevent settings non authorized dns servers for firewall policies.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/enforce_azfw_dns_servers/azurepolicy.json"
"Enforce VNET DNS servers";"This policy prevent settings non authorized dns servers for vnets.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/enforce_vnet_dns_servers/azurepolicy.json"
"modify-inject-Routes-into-exsiting-Route-Table";"modify-inject-Routes-into-exsiting-Route-Table";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/modify-inject-Routes-into-exsiting-Route-Table/azurepolicy.json"
"Adds route with address prefix 0.0.0.0/0 pointing to the virtual appliance in case there is none.";"Adds route with address prefix 0.0.0.0/0 pointing to the virtual appliance in case there is none. Best combined with policy deny-route-nexthopvirtualappliance to ensure the correct IP address of the virtual appliance.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/modify-routetable-nexthopvirtualappliance/azurepolicy.json"
"Adds the default network security group to subnets in case there is none.";"Adds the default network security group to subnets in case there is none. Nothing happens when another network security group is already associated with the subnet.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/modify-subnet-nsg/azurepolicy.json"
"Adds the default route table to subnets";"Adds the default route table to subnets. Other route tables are replaced with the default route table.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/modify-subnet-routetable/azurepolicy.json"
"Vnet peering disallowed outside subscription";"No network peering can be associated to networks outside the current subscription.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/peering-outside-disallowed/azurepolicy.json"
"Prevent cross subscription Private Link";"This policy prevents private link between subscriptions.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross subscription Private Link/azurepolicy.json"
"Prevent cross tenant Private Link for acr";"This policy prevents private link between tenants for acr.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for acr/azurepolicy.json"
"Prevent cross tenant Private Link for aks";"This policy prevents private link between tenants for aks.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for aks/azurepolicy.json"
"Prevent cross tenant Private Link for ampls";"This policy prevents private link between tenants for ampls.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for ampls/azurepolicy.json"
"Prevent cross tenant Private Link for eventgrid domains";"This policy prevents private link between tenants for eventgrid domains.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for eventgrid domains/azurepolicy.json"
"Prevent cross tenant Private Link for eventgrid topics";"This policy prevents private link between tenants for eventgrid topics.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for eventgrid topics/azurepolicy.json"
"Prevent cross tenant Private Link for key vault";"This policy prevents private link between tenants for key vault.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for key vault/azurepolicy.json"
"Prevent cross tenant Private Link for storage";"This policy prevents private link between tenants for storage.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent cross tenant Private Link for storage/azurepolicy.json"
"Prevent internet routes in route tables";"This policy prevents next hop internet in route tables.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent internet routes in route tables/azurepolicy.json"
"Prevent subnets without NSG";"This policy prevents subnets without an NSG attached to them.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent subnets without NSG/azurepolicy.json"
"Prevent subnets without Route Table";"This policy prevents subnets without a UDR attached to them.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Prevent subnets without Route Table/azurepolicy.json"
"require-specific-route-on-udr";"require-specific-route-on-udr";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/require-specific-route-on-udr/azurepolicy.json"
"Virtual Machine NIC must have NSG";"This policy prevents NIC attached to a vm to not have an NSG.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/Virtual Machine NIC must have NSG/azurepolicy.json"
"VNet Peering is only allowed to approved VNets";"This policy denied you from peering to a VNet that's not on the list of approved VNets.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Network/VNet Peering is only allowed to approved VNets/azurepolicy.json"