![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 85%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
996 questions
Hello chen,
Wellcome to Q&A, Here responding your question:
In lines 55+56, how does the function that checks if false equals true ensure that the port range, including port 3389, will be denied?
This section of the policy checks whether port ranges, including port 22 (or port 3389 if you customize it), violate the policy. The function evaluates multiple aspects of the destinationPortRange field. First, it ensures the field isn't empty and looks for ranges.
Then, it splits the range into two parts: the start and end values. It checks if the start of the range is less than or equal to 22 and if the end is greater than or equal to 22. If both conditions are true, it means the range includes port 22.
The result of this evaluation is set to 'false' whenever the port is included in the range. The policy then checks whether 'false' equals 'true', which is logically impossible. This triggers the non-compliance flag for any rule that allows port 22.
Essentially, the "false equals true" comparison is there to catch and flag configurations that violate your policy by including the specified port.
Here is an additional insights from IA:
Understanding the Function Condition Logic: not(empty(...)): Verifies that the destinationPortRange field is not empty. contains(..., '-'): Checks if the destinationPortRange field includes a '-', indicating it is a range (e.g., 3000-4000).
Splitting the Range: split(field(...), '-'): Splits the range string (e.g., 3000-4000) into its start (3000) and end (4000) points.
Range Comparison: lessOrEquals(int(first(...)), 22): Checks if the first value in the range (start of the range) is less than or equal to 22. greaterOrEquals(int(last(...)), 22): Checks if the last value in the range (end of the range) is greater than or equal to 22.
Combining Checks: and(..., ...): Combines the above comparisons to ensure that the range includes port 22 (or any other specified port).
Evaluating for Non-Compliance: If all the conditions are met (the range includes the port), the expression evaluates to 'false'. This result is then compared to 'true' in the "equals": "true" part of the policy.
Additional information:
- https://learn.microsoft.com/en-us/azure/governance/policy/
- https://github.com/Azure/azure-policy
- https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
If the information helped address your question, please Accept the answer.
Luis