Azure policy - IP Addresses range

Question

Azure policy - IP Addresses range

chen dgani 60

Hi.

I want to create an Azure Policy Definition that denies any NSG rule allowing inbound traffic from the source IP 1.2.3.4.

Specifically, I want to block any NSG rule that permits traffic to any address range containing 1.2.3.4 using CIDR notation, such as 1.2.3.0/24 or 1.2.0.0/16.

I have seen a similar example for creating an Azure Policy Definition for port ranges, but that case was simpler as it only involved checking integer ranges. (The example in lines 55-56).

Thank you.

Alex Burlachenko 4,875 Reputation points

2025-04-01T15:14:46.0366667+00:00

Well :) I happy that was helpful for u... as well u can play around that example add something to code ... anyway... Have a nice day. Alex
Naveena Patlolla 2,055 Reputation points Microsoft External Staff Moderator

2025-04-03T12:57:07.39+00:00

Hi chen dgani Thanks for your response back

Here are the subnet mask examples determines how many IP addresses are blocked within the given range:

1.2.3.4/32 or 1.2.3.4 blocks only that single IP.

1.2.3.0/24 blocks 1.2.3.0 – 1.2.3.255 (256 IPs).

1.2.0.0/16 blocks 1.2.0.0 – 1.2.255.255 (65,536 IPs).

1.0.0.0/8 blocks 1.0.0.0 – 1.255.255.255 (16.7 million IPs).

To block an entire range, use 1.0.0.0/8, which covers all IPs starting with 1.

In Azure policy definition, you have to replace "1.2.3.4" with "1.0.0.0/8" it will work

Please "Upvote" if the comment was helpful

Accepted answer

0 additional answers

Your answer

Alex Burlachenko 4,875 Reputation points

2025-04-01T15:14:46.0366667+00:00

Well :) I happy that was helpful for u... as well u can play around that example add something to code ... anyway... Have a nice day. Alex
Naveena Patlolla 2,055 Reputation points Microsoft External Staff Moderator

2025-04-03T12:57:07.39+00:00

Hi chen dgani Thanks for your response back

Here are the subnet mask examples determines how many IP addresses are blocked within the given range:

1.2.3.4/32 or 1.2.3.4 blocks only that single IP.

1.2.3.0/24 blocks 1.2.3.0 – 1.2.3.255 (256 IPs).

1.2.0.0/16 blocks 1.2.0.0 – 1.2.255.255 (65,536 IPs).

1.0.0.0/8 blocks 1.0.0.0 – 1.255.255.255 (16.7 million IPs).

To block an entire range, use 1.0.0.0/8, which covers all IPs starting with 1.

In Azure policy definition, you have to replace "1.2.3.4" with "1.0.0.0/8" it will work

Please "Upvote" if the comment was helpful

Answer 1

Dear Chen Dgani,

Thank you for your inquiry regarding the Azure Policy to restrict specific IP address ranges in NSG rules. I understand your requirement to block inbound traffic from the IP address 1.2.3.4 and any CIDR ranges that include it (e.g., 1.2.3.0/24, 1.2.0.0/16). If so below I would like offer to u an Azure Policy definition that will deny NSG rules allowing inbound traffic from the specified IP and its associated CIDR ranges

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
          "equals": "Allow"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
          "equals": "Inbound"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
              "equals": "1.2.3.4"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
              "in": ["1.2.3.4/32", "1.2.3.0/24", "1.2.0.0/16"]
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
              "contains": "1.2.3.4"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
              "in": ["1.2.3.4/32", "1.2.3.0/24", "1.2.0.0/16"]
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Deploy the Policy and assign this definition at the desired scope (Management Group, Subscription, or Resource Group).

Test it and validate the policy in audit mode before enforcing it.

If additional IP ranges need blocking, expand the in array.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

chen dgani 60 Reputation points

2025-04-01T15:06:35.6333333+00:00

Hi @Alex Burlachenko , thank you for your answer.The IP address ranges "1.2.3.0/24 or 1.2.0.0/16" are just examples. I want ANY IP range that includes the address 1.2.3.4 to be denied.

Thank you!
chen dgani 60 Reputation points

2025-04-01T20:28:23.8333333+00:00

@Alex Burlachenko ,

Your policy does not validate all possible ranges—for example, 1.0.0.0/16 or 0.0.0.0/0. NSG rules that allow source traffic from these ranges will pass, and 1.2.3.4 will be included in these ranges.

I'm struggling because I don't know how to define every possible range that includes the address 1.2.3.4.

Share via

Azure policy - IP Addresses range

0 additional answers

Your answer