Share via

Azure policy rule with condition of contains from a params array

DanaR 0 Reputation points
2025-04-08T13:37:31.4766667+00:00

Is it possible to create a policy rule that use the contains function but receive an array?

for example:

block ip 1.1.1.1/32 from the security rule if the array of the params is ["1.1.1.1", "2.2.22"]

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
996 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Naveena Patlolla 2,055 Reputation points Microsoft External Staff
    2025-04-10T09:26:59.4933333+00:00

    Hi DanaR
    I have reached out to you in a private message.
    Just to clarify, Since the specific IP address will fall within the provided CIDR range (e.g., /16, /32, /64), you should define the address range in the policy instead of the individual IP address to ensure the policy functions correctly.

    Example: 1.2.3.4 will fall under 1.2.3.0/16

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
          "equals": "Inbound"
        },
        {
          "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
          "in": [
            "1.2.3.0/32",
            "5.6.7.0/32",
            "10.0.0.0/32"
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    Thankyou

    0 comments
  2. Alex Burlachenko 4,710 Reputation points
    2025-04-10T12:15:23.0933333+00:00

    Dear DanaR,

    Thank you for your question on the Q&A portal! I appreciate you taking the time to reach out and share your scenario.

    Regarding your question about creating an Azure Policy rule that uses the contains function with an array parameter—yes, it is possible. You can define a parameter of type array in your policy and then use the contains function to check if a specific value (like an IP address) exists within that array. Here’s a simplified example of how you might structure it in your policy rule:

    "policyRule": {  
  "if": {  
    "allOf": [  
      {  
        "field": "type",  
        "equals": "Microsoft.Network/networkSecurityGroups/securityRules"  
      },  
      {  
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",  
        "in": "[parameters('blockedIPs')]"  
      }  
    ]  
  },  
  "then": {  
    "effect": "deny"  
  }  
}

    In this example, blockedIPs would be your array parameter containing IPs like ["1.1.1.1", "2.2.22"].

    For more details, you might find these Microsoft articles helpful:

    Azure Policy definition structure

    Let me know if you need further clarification.

    Best regards,

    Alex

    P.S. If my answer helped you, please Accept my answer.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.