Best Approach for Denying Public Network Access on Managed Disks

Question

Best Approach for Denying Public Network Access on Managed Disks

Ernest Aduboffour 20

An Azure policy has been implemented to disable public network access in audit mode. After remediating non-compliant resources, guidance is needed on the best approach to transition to deny mode, especially considering there are hundreds of new disks created after the monthly patch week. What strategies can be used to manage this transition effectively in a large infrastructure to prevent future issues?

Ernest Aduboffour 20 Reputation points

2025-03-22T13:49:53.61+00:00

Thank you for your prompt response and guidance. I appreciate your insights.

However, I have a follow-up question: By default, managed disks is allowed to public. Additionally, what would be the best approach for handling resources that will be created after the policy has been moved to deny mode?
Vinodh247 32,686 Reputation points MVP

2025-04-01T04:49:25.29+00:00

Yes, Azure Managed Disks do not have a direct "public access" toggle, but they can be exposed indirectly (through snapshots, exports, Shared Image Gallery, SAS URLs, or integration with services that allow public endpoints). Therefore, using Azure Policy to deny public exposure pathways is a best practice.

Once the policy is set to deny, any non compliant resource creation will fail. This is good for security but risky if not properly planned.
Ernest Aduboffour 20 Reputation points

2025-04-01T08:08:24.0633333+00:00

I’ve set up a policy to deny any public access, which is now preventing me from creating a new virtual machine. Upon reviewing the configuration, I’ve found that there’s no option to turn off public access in a way that would allow me to comply with the policy when creating new VMs.

The only adjustment I can make is with an existing disk, but there doesn't seem to be an option for new instances. Could you provide any guidance on how to proceed or if there are any other settings I should look into?
Vinodh247 32,686 Reputation points MVP

2025-04-01T08:44:51.7+00:00
Option 1: Scope the Policy Properly

Do not apply a deny-based public access policy to disks directly.

Instead, target:

Microsoft.Network/publicIPAddresses

`Microsoft.KeyVault/vaults` (if relevant) `Microsoft.Storage/storageAccounts` `Microsoft.Sql/servers` Use resource type-specific policies that only apply to services where `publicNetworkAccess` is valid.

Option 2: Exclude Resource Types

Modify your policy to exclude resource types like disks and vm,

for ex.:

"not": { "field": "type", "in": [ "Microsoft.Compute/virtualMachines", "Microsoft.Compute/disks" ] }

Option 3: Use Initiative Definitions (Policy Set)

Break the policy into multiple resource-specific definitions under a policy initiative, so each resource type gets a policy that makes sense contextually.

Option 4: Use DeployIfNotExists or Audit Modes Where Deny Is Not Practical

For resource types where deny enforcement causes deployment failure due to missing config options, use:

AuditIfNotExists or

DeployIfNotExists with remediation scripts
Naveena Patlolla 1,975 Reputation points Microsoft External Staff

2025-04-02T03:32:15.49+00:00

Hi Ernest Aduboffour

Just want to check if the above solution provided by @Vinodh247 worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 answers

Your answer

Ernest Aduboffour 20 Reputation points

2025-03-22T13:49:53.61+00:00

Thank you for your prompt response and guidance. I appreciate your insights.

However, I have a follow-up question: By default, managed disks is allowed to public. Additionally, what would be the best approach for handling resources that will be created after the policy has been moved to deny mode?
Vinodh247 32,686 Reputation points MVP

2025-04-01T04:49:25.29+00:00

Yes, Azure Managed Disks do not have a direct "public access" toggle, but they can be exposed indirectly (through snapshots, exports, Shared Image Gallery, SAS URLs, or integration with services that allow public endpoints). Therefore, using Azure Policy to deny public exposure pathways is a best practice.

Once the policy is set to deny, any non compliant resource creation will fail. This is good for security but risky if not properly planned.
Ernest Aduboffour 20 Reputation points

2025-04-01T08:08:24.0633333+00:00

I’ve set up a policy to deny any public access, which is now preventing me from creating a new virtual machine. Upon reviewing the configuration, I’ve found that there’s no option to turn off public access in a way that would allow me to comply with the policy when creating new VMs.

The only adjustment I can make is with an existing disk, but there doesn't seem to be an option for new instances. Could you provide any guidance on how to proceed or if there are any other settings I should look into?
Vinodh247 32,686 Reputation points MVP

2025-04-01T08:44:51.7+00:00

Option 1: Scope the Policy Properly

Do not apply a deny-based public access policy to disks directly.

Instead, target:

Microsoft.Network/publicIPAddresses

`Microsoft.KeyVault/vaults` (if relevant) `Microsoft.Storage/storageAccounts` `Microsoft.Sql/servers` Use resource type-specific policies that only apply to services where `publicNetworkAccess` is valid.

Option 2: Exclude Resource Types

Modify your policy to exclude resource types like disks and vm,

for ex.:

"not": { "field": "type", "in": [ "Microsoft.Compute/virtualMachines", "Microsoft.Compute/disks" ] }

Option 3: Use Initiative Definitions (Policy Set)

Break the policy into multiple resource-specific definitions under a policy initiative, so each resource type gets a policy that makes sense contextually.

Option 4: Use DeployIfNotExists or Audit Modes Where Deny Is Not Practical

For resource types where deny enforcement causes deployment failure due to missing config options, use:

AuditIfNotExists or

DeployIfNotExists with remediation scripts
Naveena Patlolla 1,975 Reputation points Microsoft External Staff

2025-04-02T03:32:15.49+00:00

Hi Ernest Aduboffour

Just want to check if the above solution provided by @Vinodh247 worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Hi ,

Thanks for reaching out to Microsoft Q&A.

To effectively transition from audit mode to deny mode for disabling public network access on Azure Managed Disks in a large-scale environment, consider a phased and controlled strategy that balances enforcement with operational continuity. Here's the best approach broken into key steps:

Baseline Validation and Remediation

Ensure Full Compliance: Before switching to deny, ensure all existing disks are compliant. Use Azure Policy remediation tasks to tag and correct non-compliant disks.

Remediation Automation: Automate remediation using Azure Automation, Logic Apps, or Azure Functions if you deal with a high number of disks.

 2. Gradual Transition Strategy

Instead of a hard switch to Deny, consider a phased rollout:

Stage 1: Scoped Deny Policy

Limit Scope Initially: Apply the deny policy to a subset of subscriptions, resource groups, or regions.

Monitor the effect on deployments or patching cycles.

Use activity logs and policy compliance reports to assess impact.

Stage 2: DeployIfNotExists Policy

Consider a DeployIfNotExists effect to auto-enforce configurations (if applicable), although not directly usable for all public access scenarios on managed disks.

Stage 3: Gradual Expansion

Expand the scope week-by-week or after each patch cycle.

Use change windows to reduce risk during deployment periods.

Patch Week Awareness

Freeze Period: Avoid major policy changes during or right before patch weeks.

Policy Exceptions: Temporarily allow exceptions using policy exemptions for patch-related automation that may rely on public access.

Automate and Monitor

CI/CD Integration: Include Azure Policy checks in your IaC pipelines (Bicep, Terraform).

Alerting: Set up Azure Monitor alerts on policy non-compliance.

Version Control: Use Azure Policy Definitions in source control for change tracking and rollback if needed.

Use Policy Insights

Use Azure Policy Insights to analyze trends:
- Identify which teams or resources frequently violate the policy.
- Use this to drive training or automation improvements.

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Answer 2

Hi Ernest Aduboffour

Sorry for the late response.

Once the policy is switched to Deny mode, no disk can be created if Public Network Access is set to true; the policy will block the creation.

To remediate previously created disks after applying the patch, please use the two scripts below. Start by processing 10 disks per day, test the changes, and if everything works as expected, gradually increase the disk count.

Script1 description:

This script adds or updates a specific tag on a list of Azure Disks, Reads disk names from a text file

Script 2 description:

This script modifies Azure Managed Disks by restricting public network access, Retrieves all disks with the tag publicaccess=deny

Script1

Create a Notepad file and list the disk names you want to change from public to private network access, with each disk name on a new line

Create a tag with below details using the Script.

$tagKey = "publicaccess"

$tagValue = "Deny"

<#
.SYNOPSIS  
This script adds or updates a specific tag on a list of Azure Disks.  
.DESCRIPTION  
- Reads disk names from a text file.  
- Retrieves each disk and its resource group.  
- Adds or updates the specified tag (`publicaccess=deny`).  
- Updates the disk in Azure.  
.NOTES  
- Ensure you have the necessary **Azure permissions**.  
- The text file should contain **one disk name per line**.  
#>  
# Define variables  
$tagKey = "publicaccess"
$tagValue = "deny"
$diskListFile = "C:\path\to\disknames.txt" # Update with the actual file path
# Read disk names from the file  
$diskNames = Get-Content $diskListFile
# Loop through each disk name  
foreach ($diskName in $diskNames) {
    # Get the disk (considering potential duplicates across resource groups)
    $disk = Get-AzDisk | Where-Object { $_.Name -eq $diskName }
    if ($disk) {
        $resourceGroupName = $disk.ResourceGroupName  # Get the disk's resource group
        # Ensure tags exist  
        if (-not $disk.Tags) {
            $disk.Tags = @{}
        }
        # Add or update the tag  
        $disk.Tags[$tagKey] = $tagValue
        # Apply the tag update  
        Update-AzDisk -ResourceGroupName $resourceGroupName -DiskName $diskName -Disk $disk
        Write-Output "Tag '$tagKey=$tagValue' added to disk: $diskName in Resource Group: $resourceGroupName"
    } else {
        Write-Output "Disk not found: $diskName"
    }
}

Script 2

This script modifies Azure Managed Disks by restricting public network access, retrieves all disks with the tag publicaccess=deny

<#
.SYNOPSIS  
This script modifies Azure Managed Disks by restricting public network access.  
.DESCRIPTION  
- Retrieves all disks with the tag `publicaccess=deny`.  
- Creates a **Disk Access resource** for each disk if not already present.  
- Updates the disk properties to:  
  - Set **NetworkAccessPolicy** to `AllowPrivate`.  
  - Disable **Public Network Access** (`PublicNetworkAccess = Disabled`).  
- Introduces **sleep intervals** to avoid throttling.  
.NOTES  
- Ensure you have the required **permissions** to modify Azure Disks.  
- Run this script in **Azure PowerShell** with appropriate access.  
#>  
# Variables  
$disks = Get-AzDisk | Where-Object { $_.Tags["publicaccess"] -eq "deny" }
# Iterate through each disk  
foreach ($disk in $disks) {
    # Extract necessary details  
    $resourceGroupName = $disk.ResourceGroupName
    $diskName = $disk.Name
    $location = $disk.Location
    # Generate a unique name for the Disk Access resource  
    $DiskAccessName = "$diskName-Diskaccess"
    # Create a Disk Access resource  
    $diskAccess = New-AzDiskAccess -ResourceGroupName $resourceGroupName -Name $DiskAccessName -Location $location
    Write-Output "Created new Disk Access resource '$DiskAccessName' in location '$location'."
    # Wait to avoid Azure API rate limits  
    Start-Sleep -Seconds 30  
    # Modify disk properties  
    $disk.DiskAccessId = $diskAccess.Id
    $disk.NetworkAccessPolicy = "AllowPrivate"
    $disk.PublicNetworkAccess = "Disabled"
    # Update the disk with new settings  
    Update-AzDisk -ResourceGroupName $resourceGroupName -DiskName $diskName -Disk $disk
    Write-Output "Updated disk '$diskName': Public access disabled, private network access enabled."
    # Sleep before processing the next disk  
    Start-Sleep -Seconds 30  
}

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Share via

Best Approach for Denying Public Network Access on Managed Disks

2 answers

Your answer