Azure ARM Policy to Block Public IPs

Azure ARM policies are a great way to put limits around your Azure subscription or resource groups, and one of the cool things you can do is prevent specific types of resource creation. Public IP addresses are created by default when you create a new IaaS virtual machine. This may be OK in some instances, but what if you want to prevent these from being created across the board? The following policy will prevent virtual machine creation if a public IP address is assigned, and will also prevent public IP address object creation if you are trying to add a public IP to a VM. The only scenario it won’t prevent is the attachment of an existing public IP to a virtual machine.

  "if": {
    "anyOf": [
        "source": "action",
        "like": "Microsoft.Network/publicIPAddresses/*"
  "then": {
    "effect": "deny"

Here’s some Powershell you can use to create this policy. Note that the policy definition is inline here, you could also put this in a .json file and reference it by path when creating the policy definition. This script will create the policy and assign it to a resource group you specify. Replace everything in with parameters specific to your environment.

# Subscription selection
$sub = "<subscription name>"
Get-AzureRmSubscription -SubscriptionName $sub | Set-AzureRmContext

# Get the resource group
$rgname = "<resource group name>"
$rg = Get-AzureRmResourceGroup -Name $rgname

# Create the policy definition
$definition = '{"if":{"anyOf":[{"source":"action","like":"Microsoft.Network/publicIPAddresses/*"}]},"then":{"effect":"deny"}}'
$policydef = New-AzureRmPolicyDefinition -Name NoPubIPPolicyDefinition -Description 'No public IP addresses allowed' -Policy $definition

# Assign the policy
New-AzureRmPolicyAssignment -Name NoPublicIPPolicyAssignment -PolicyDefinition $policydef -Scope $rg.ResourceId

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s