last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Cognitive Services accounts should restrict network access

Name Cognitive Services accounts should restrict network access
Azure Portal
Id 037eea7a-bd0a-46c5-9a66-03aea78705d3
Version 1.0.0
details on versioning
Category Cognitive Services
Microsoft docs
Description Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-05-29 15:39:09 add 037eea7a-bd0a-46c5-9a66-03aea78705d3
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Cognitive Services accounts should restrict network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "037eea7a-bd0a-46c5-9a66-03aea78705d3"
}