title | description | author | ms.author | ms.service | ms.topic | ms.date | ms.custom |
---|---|---|---|---|---|---|---|
Define dynamic network group membership in Azure Virtual Network Manager with Azure Policy |
This article explains how to use Azure Policy to create network groups with dynamic membership in Azure Virtual Network Manager. |
mbender-ms |
mbender |
azure-virtual-network-manager |
how-to |
07/18/2023 |
template-concept, engagement-fy23 |
In this article, you learn how to use Azure Policy conditional statements to create network groups with dynamic membership. You create these conditional statements using the basic editor by selecting parameters and operators from a drop-down menu. Also, you learn how to use the advanced editor to update conditional statements of an existing network group.
Azure Policy is a service to enable you to enforce per-resource governance at scale. It can be used to specify conditional expressions that define group membership, as opposed to explicit lists of virtual networks. This condition continues to power your network groups dynamically, allowing virtual networks to join and leave the group automatically as their fulfillment of the condition changes, with no Network Manager operation required.
- An Azure account with an active subscription. Create an account for free.
- To modify dynamic network groups, you must be granted access with role-based access control. Classic Admin/legacy authorization isn't supported.
Virtual networks with dynamic memberships are selected using conditional statements. You can define more than one conditional statement by using logical operators such as AND and OR for scenarios where you need to further narrow the selected virtual networks.
List of supported parameters:
Parameters | Advanced editor field |
---|---|
Name | Name |
ID | Id |
Tags | tag['tagName'] |
Subscription Name | [subscription().Name] |
Subscription ID | [subscription().Id] |
Subscription Tags | [subscription().tags['tagName']] |
Resource Group Name | [resourceGroup().Name] |
Resource Group ID | [resourceGroup().Id] |
Resource Group Tags | [resourceGroup().tags['tagName']] |
List of supported operators:
Operators | Advanced editor |
---|---|
Contains | "contains": <> |
Doesn't contain | "notcontains": <> |
In | "in": <> |
Not In | "notin": <> |
Equals | "equals": <> |
Doesn't equal | "notequals": <> |
Contains any of | "contains": <> |
Contains all of | "contains": <> |
Doesn't contain any of | "notcontains": <> |
Exists | "exists": true |
Doesn't exist | "exists": false |
Note
The Exists and Does not exist operators are only used with the Tags parameter.
Assume you have the following virtual networks in your subscription. Each virtual network has an associated tag named environment with the respective value of production or test.
Virtual Network | Tag Name | Tag Value |
---|---|---|
myVNet01-EastUS | environment | production |
myVNet01-WestUS | environment | production |
myVNet02-WestUS | environment | test |
myVNet03-WestUS | environment | test |
You only want to select virtual networks that whose tag has a key value pair of environment equal to production. To begin using the basic editor to create your conditional statement, you need to create a new network group.
-
Go to your Azure Virtual Network Manager instance and select Network Groups under Settings. Then select + Create to create a new network group.
-
Enter a Name and an optional Description for the network group, and select Add.
-
Select the network group from the list and select Create Azure Policy.
-
Enter a Policy name and leave the Scope selections unless changes are needed.
-
Under Criteria, select Tags from the drop-down under Parameter and then select Key value pair from the drop-down under Operator.
-
Enter environment and production under Condition and select Preview Resources. You should see myVNet01-EastUS and myVNet01-WestUS show up in the list.
:::image type="content" source="media/how-to-define-network-group-membership-azure-policy/add-key-value-pair-tag.png" alt-text="Screenshot of Create Azure Policy window setting tag with key value pair.":::
-
Select Close and Save.
-
After a few minutes, select your network group and select Group Members under Settings. You should only see myVNet01-WestUS and myVNet01-WestUS.
Important
The basic editor is only available during the creation of an Azure Policy. Once a policy is created, all edits will be done using JSON in the Policies section of virtual network manager or via Azure Policy.
The advanced editor can be used to select virtual networks during the creation of a network group or when updating an existing network group. Based in JSON, the advanced editor is useful for creating and updating complex Azure Policy conditional statements by experienced users.
-
Go to your Azure Virtual Network Manager instance and select Network Groups under Settings. Then select + Create to create a new network group.
-
Enter a Name and an optional Description for the network group, and select Add.
-
Select the network group from the list and select Create Azure Policy.
-
Enter a Policy name and leave the Scope selections unless changes are needed.
-
Under Criteria, select Advanced (JSON) editor to open the editor.
-
Enter the following JSON code into the text box and select Save:
{ "field": "Name", "contains": "myVNet01" }
-
After a few minutes, select your network group and select Group Members under Settings. You should only see myVNet01-WestUS and myVNet01-EastUS.
Important
Any Azure Policies you create through with virtual network manager will live in the Azure Policy services area. They will not be remove from your Azure Policy assignments and definitions when a virtual network manager instance is delete. This requires removal of the policies manually. Learn to remove Azure Policies
-
Select the network group created in the previous section. Then select the Policies tab.
-
Select the policy created in the previous section.
-
You see the conditional statements for the network group in the advance editor view as follows:
[ { "field": "Name", "contains": "myVNet01" } ]
-
To add another conditional statement for a Name field not containing WestUS, enter the following into the advanced editor:
{ "allOf": [ { "field": "Name", "contains": "VNet01" }, { "field": "Name", "notcontains": "WestUS" } ] }
The
"allOf"
parameter contains both the conditional statements that are separated by the AND logical operator. -
Select Save.
-
After a few minutes, select your network group and select Group Members under Settings. You should only see myVNet01-EastUS.
See Parameter and operators for the complete list of parameters and operators you can use with the advanced editor.
Here are more examples of conditional statements in the advanced editor.
This example uses the OR logical operator to separate two conditional statements.
-
Basic editor:
:::image type="content" source="./media/how-to-exclude-elements/or-operator.png" alt-text="Screenshot of network group conditional statement using the OR logical operator.":::
-
Advanced operator:
{ "anyOf": [ { "field": "Name", "contains": "myVNet01" }, { "field": "Name", "contains": "myVNet02" } ] }
The "anyOf"
parameter contains both the conditional statements that are separated by the OR logical operator.
-
Basic editor:
:::image type="content" source="./media/how-to-exclude-elements/both-operator.png" alt-text="Screenshot of network group conditional statement using both OR and AND logical operator.":::
-
Advanced editor:
{
"allOf": [
{
"anyOf": [
{
"field": "Name",
"contains": "myVNet01"
},
{
"field": "Name",
"contains": "myVNet02"
}
]
},
{
"field": "Name",
"notcontains": "West"
}
]
}
Both "allOf"
and "anyOf"
are used in the code. Since the AND operator is last in the list, it is on the outer part of the code containing the two conditional statements with the OR operator.
In this example, a conditional statement is created that finds virtual networks where the name includes myVNet AND the environment tag equals production.
-
Advanced editor:
{ "allOf": [ { "field": "Name", "contains": "myVNet" }, { "field": "tags['environment']", "equals": "production" } ] }
[!NOTE] Conditionals should filter on resource type Microsoft.Network/virtualNetwork to improve efficiency. This condition is prepended for you on any conditionals specified through the portal.
- Learn about Network groups.
- Create an Azure Virtual Network Manager instance.
- Create and manage policies to enforce compliance