Category Archives: azure

Azure ARM Policy to Block Public IPs

Azure ARM policies are a great way to put limits around your Azure subscription or resource groups, and one of the cool things you can do is prevent specific types of resource creation. Public IP addresses are created by default when you create a new IaaS virtual machine. This may be OK in some instances, but what if you want to prevent these from being created across the board? The following policy will prevent virtual machine creation if a public IP address is assigned, and will also prevent public IP address object creation if you are trying to add a public IP to a VM. The only scenario it won’t prevent is the attachment of an existing public IP to a virtual machine.

  "if": {
    "anyOf": [
        "source": "action",
        "like": "Microsoft.Network/publicIPAddresses/*"
  "then": {
    "effect": "deny"

Here’s some Powershell you can use to create this policy. Note that the policy definition is inline here, you could also put this in a .json file and reference it by path when creating the policy definition. This script will create the policy and assign it to a resource group you specify. Replace everything in with parameters specific to your environment.

# Subscription selection
$sub = "<subscription name>"
Get-AzureRmSubscription -SubscriptionName $sub | Set-AzureRmContext

# Get the resource group
$rgname = "<resource group name>"
$rg = Get-AzureRmResourceGroup -Name $rgname

# Create the policy definition
$definition = '{"if":{"anyOf":[{"source":"action","like":"Microsoft.Network/publicIPAddresses/*"}]},"then":{"effect":"deny"}}'
$policydef = New-AzureRmPolicyDefinition -Name NoPubIPPolicyDefinition -Description 'No public IP addresses allowed' -Policy $definition

# Assign the policy
New-AzureRmPolicyAssignment -Name NoPublicIPPolicyAssignment -PolicyDefinition $policydef -Scope $rg.ResourceId

Azure Load Balancer Default Probe

I’ve had a case open with Microsoft support around load balancers in Azure, specifically around how the probes for the default probe work. There’s little information in the Azure MSDN documentation on exactly how the probes work. I did find this blog post on MSDN blogs by Kevin Williamson from 2013 that provides some details on exactly how they work, and confirmed with MS support that they do still function in this manner.┬áIn a nutshell, the default probe will perform probes against the Azure VM Agent on the server over HTTP and TCP to determine if the node is healthy or not, removing it from the LB if it does not get a successful TCP connection or HTTP 200 response. It’s disappointing that MS doesn’t provide more details on this in their Azure documentation, hopefully this is something they pull out of the blogs and add to their official MSDN docs.