Create a policy to disable NICs that don't have a certain tag to be able to attach certain IPs

Question

Create a policy to disable NICs that don't have a certain tag to be able to attach certain IPs

Mirko Krajcer 0

I want to disable NICs that don't have a tag

my:tag:name

being equal to

123456

to assign PRIVATE IPs from a predefined list

[1.2.3.4, 5.6.7.8, 9.10.11.12, ...]

using a policy or any other Microsoft service. Can you help me?

I've tried doing this and it is not working:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkInterfaces"
        },
        {
          "field": "tags['my:tag:name']",
          "equals": "123456"
        },
        {
          "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].privateIPAddress",
          "in": [
            "1.2.3.4",
            "5.6.7.8",
            "9.10.11.12"
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

anashetty 3,155 Reputation points Microsoft External Staff

2025-04-29T20:50:31.84+00:00

Hi Mirko Krajcer,

You are trying to create an Azure Policy that disables network interfaces (NICs) that do not have a specific tag and assigns them private IPs from a predefined list.

You need to adjust your policy definition, the current policy you provided seems to be set up to deny NICs that have the specified tag and IPs, which is not what you want.

Instead, you want to deny NICs that do not have the tag my:tag:name equal to 123456. The condition for the tag to be changed from equals to notEquals. This means the policy will now check for NICs that do not have the specified tag value. The effect remains as deny, which means that if the conditions are met NICs without the tag and with the specified private IPs, the creation or update of those NICs will be denied.

If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Mirko Krajcer 0 Reputation points

2025-04-29T23:05:32.6933333+00:00

This makes sense, but now I can't delete it from the NIC. I need to be able to remove it from the NIC and unable to assign it to any NIC that doesn't have this tag. Can that be done?
anashetty 3,155 Reputation points Microsoft External Staff

2025-04-29T23:52:16.7933333+00:00

Hi Mirko Krajcer,

To remove a tag from a NIC in Azure, you can use the Azure portal, Azure CLI, or Azure PowerShell. To prevent assigning NICs without a specific tag, you can create an Azure Policy that denies the creation of NICs lacking that tag. While creating a Use "Indexed" mode for resource types. Target Microsoft.Network/networkInterfaces and for tag condition, check if the tag my:tag:name does not equal 123456. Set the effect to deny to prevent the creation or update of NICs that do not meet the tagging requirement.

If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Mirko Krajcer 0 Reputation points

2025-04-29T23:58:50.37+00:00

No, you misunderstood. I want to create a policy that can:

ALLOW: adding IPs ["1.2.3.4", "5.6.7.8", "9.10.11.12"] only to NICs that have tag 'my:tag:name' equal to 123456.

ALLOW: removing Ips ["1.2.3.4", "5.6.7.8", "9.10.11.12"] from any NICs

DENY: adding IPs ["1.2.3.4", "5.6.7.8", "9.10.11.12"] to NICs that don't have tag 'my:tag:name' equal to 123456.

If I try to add an IP 1.2.3.4 to NIC that does not have my:tag:name equal to 123456, it should deny the action. On the other hand, if it has it, it should allow it.
anashetty 3,155 Reputation points Microsoft External Staff

2025-04-30T19:42:21.21+00:00

Hi Mirko Krajcer,

Azure Policy condition checks are:
It checks if the resource type is a NIC.
It checks if the private IP being assigned is part of your specified list.
It checks if the tag my:tag:name does not equal 123456.

Effect: If all conditions are met, it will deny the action of adding that IP to a NIC.

Removing IPs: For the allowance to remove IPs, Azure policies do not generally control delete actions; they are primarily for enforcing rules around the creation and update of resources. Therefore, you usually would not need a policy for this functionality. Users would be able to manually remove such IPs without restriction.

Azure Policy does not evaluate how the resource changed like "added" vs "removed" an IP, only what the new configuration looks like after the update. So, if a NIC ends up with a restricted IP and without the required tag, it will be denied. If the NIC ends up without the restricted IP, it doesn’t matter what tag is present — it’s compliant.

Your answer

anashetty 3,155 Reputation points Microsoft External Staff

2025-04-29T20:50:31.84+00:00

Hi Mirko Krajcer,

You are trying to create an Azure Policy that disables network interfaces (NICs) that do not have a specific tag and assigns them private IPs from a predefined list.

You need to adjust your policy definition, the current policy you provided seems to be set up to deny NICs that have the specified tag and IPs, which is not what you want.

Instead, you want to deny NICs that do not have the tag my:tag:name equal to 123456. The condition for the tag to be changed from equals to notEquals. This means the policy will now check for NICs that do not have the specified tag value. The effect remains as deny, which means that if the conditions are met NICs without the tag and with the specified private IPs, the creation or update of those NICs will be denied.

If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Mirko Krajcer 0 Reputation points

2025-04-29T23:05:32.6933333+00:00

This makes sense, but now I can't delete it from the NIC. I need to be able to remove it from the NIC and unable to assign it to any NIC that doesn't have this tag. Can that be done?
anashetty 3,155 Reputation points Microsoft External Staff

2025-04-29T23:52:16.7933333+00:00

Hi Mirko Krajcer,

To remove a tag from a NIC in Azure, you can use the Azure portal, Azure CLI, or Azure PowerShell. To prevent assigning NICs without a specific tag, you can create an Azure Policy that denies the creation of NICs lacking that tag. While creating a Use "Indexed" mode for resource types. Target Microsoft.Network/networkInterfaces and for tag condition, check if the tag my:tag:name does not equal 123456. Set the effect to deny to prevent the creation or update of NICs that do not meet the tagging requirement.

If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Mirko Krajcer 0 Reputation points

2025-04-29T23:58:50.37+00:00

No, you misunderstood. I want to create a policy that can:

ALLOW: adding IPs ["1.2.3.4", "5.6.7.8", "9.10.11.12"] only to NICs that have tag 'my:tag:name' equal to 123456.

ALLOW: removing Ips ["1.2.3.4", "5.6.7.8", "9.10.11.12"] from any NICs

DENY: adding IPs ["1.2.3.4", "5.6.7.8", "9.10.11.12"] to NICs that don't have tag 'my:tag:name' equal to 123456.

If I try to add an IP 1.2.3.4 to NIC that does not have my:tag:name equal to 123456, it should deny the action. On the other hand, if it has it, it should allow it.
anashetty 3,155 Reputation points Microsoft External Staff

2025-04-30T19:42:21.21+00:00

Hi Mirko Krajcer,

Azure Policy condition checks are:
It checks if the resource type is a NIC.
It checks if the private IP being assigned is part of your specified list.
It checks if the tag my:tag:name does not equal 123456.

Effect: If all conditions are met, it will deny the action of adding that IP to a NIC.

Removing IPs: For the allowance to remove IPs, Azure policies do not generally control delete actions; they are primarily for enforcing rules around the creation and update of resources. Therefore, you usually would not need a policy for this functionality. Users would be able to manually remove such IPs without restriction.

Azure Policy does not evaluate how the resource changed like "added" vs "removed" an IP, only what the new configuration looks like after the update. So, if a NIC ends up with a restricted IP and without the required tag, it will be denied. If the NIC ends up without the restricted IP, it doesn’t matter what tag is present — it’s compliant.

Share via

Create a policy to disable NICs that don't have a certain tag to be able to attach certain IPs

Your answer