Azure ARM policies are a great way to put limits around your Azure subscription or resource groups, and one of the cool things you can do is prevent specific types of resource creation. Public IP addresses are created by default when you create a new IaaS virtual machine. This may be OK in some instances, but what if you want to prevent these from being created across the board? The following policy will prevent virtual machine creation if a public IP address is assigned, and will also prevent public IP address object creation if you are trying to add a public IP to a VM. The only scenario it won’t prevent is the attachment of an existing public IP to a virtual machine.

{
  "if": {
    "anyOf": [
      {
        "source": "action",
        "like": "Microsoft.Network/publicIPAddresses/*"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Here’s some Powershell you can use to create this policy. Note that the policy definition is inline here, you could also put this in a .json file and reference it by path when creating the policy definition. This script will create the policy and assign it to a resource group you specify. Replace everything in with parameters specific to your environment.

# Subscription selection
Login-AzureRmAccount
$sub = "<subscription name>"
Get-AzureRmSubscription -SubscriptionName $sub | Set-AzureRmContext

# Get the resource group
$rgname = "<resource group name>"
$rg = Get-AzureRmResourceGroup -Name $rgname

# Create the policy definition
$definition = '{"if":{"anyOf":[{"source":"action","like":"Microsoft.Network/publicIPAddresses/*"}]},"then":{"effect":"deny"}}'
$policydef = New-AzureRmPolicyDefinition -Name NoPubIPPolicyDefinition -Description 'No public IP addresses allowed' -Policy $definition

# Assign the policy
New-AzureRmPolicyAssignment -Name NoPublicIPPolicyAssignment -PolicyDefinition $policydef -Scope $rg.ResourceId