AzPolicyAdvertizer

last sync: 2025-Oct-24 17:23:08 UTC

Deny or Audit service endpoints on subnets

Azure Landing Zones (ALZ) Policy definition

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-Service-Endpoints

Deploy policy Deny-Service-Endpoints (1.0.0) to Azure

Display name

Deny or Audit service endpoints on subnets

Deny-Service-Endpoints

Version

1.0.0
Details on versioning

Category

Network

Description

This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.

Cloud environments

AzureChinaCloud
AzureCloud
AzureUSGovernment

Mode

All

Type

Custom Azure Landing Zones (ALZ)

Preview

False

Deprecated

False

Effect

Default
Deny
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]	Microsoft.Network	virtualNetworks/subnets	properties.serviceEndpoints[*]	True		True
Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service	Microsoft.Network	virtualNetworks/subnets	properties.serviceEndpoints[*].service	True		True

Rule resource types

IF (1)
Microsoft.Network/virtualNetworks/subnets

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State
[Deprecated] Enforce recommended guardrails for Network and Networking services	Enforce-Guardrails-Network	Network	Deprecated
Enforce recommended guardrails for Network and Networking services	Enforce-Guardrails-Network_20250326	Network	GA

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-06-03 17:39:43	add	Deny-Service-Endpoints

JSON compare

n/a

JSON

EPAC