last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Container registries should use private links

Name Container registries should use private links
Azure Portal
Id e8eef0a8-67cf-4eb4-9386-14b0e78733d4
Version 1.0.0
details on versioning
Category Container Registry
Microsoft docs
Description Audit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-05-29 15:39:09 change Previous DisplayName: [Preview]: Container Registries should use private links
2020-04-28 14:50:57 add e8eef0a8-67cf-4eb4-9386-14b0e78733d4
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Container registries should use private links",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "count": {
            "field": "Microsoft.ContainerRegistry/registries/privateEndpointConnections[*]",
              "where": {
              "field": "Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4"
}