Public network access should be disabled for PaaS services

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

[Deprecated]: Cognitive Services accounts should disable public network access

0725b4dd-7e76-479c-a735-68e7ee23d5ca

Cognitive Services

Default
Disabled
Allowed
Audit, Deny, Disabled

Deprecated

BuiltIn

[Preview]: Azure Key Vault Managed HSM should disable public network access

19ea9d63-adee-4431-a95e-1913c6c1c75f

Key Vault

Default
Audit
Allowed
Audit, Deny, Disabled

Preview

BuiltIn

[Preview]: Azure Recovery Services vaults should disable public network access

9ebbbba3-4d65-4da9-bb67-b22cfaaff090

Backup

Default
Audit
Allowed
Audit, Deny, Disabled

Preview

BuiltIn

[Preview]: Storage account public access should be disallowed

4fa4b6c0-31ca-4c0d-b10d-24b96f62a751

Storage

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

Preview

BuiltIn

API Management should disable public network access to the service configuration endpoints

df73bd95-24da-4a4f-96b9-4e8b94b402bd

API Management

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

BuiltIn

App Configuration should disable public network access

3d9f5e4c-9947-4579-9539-2a7695fbc187

App Configuration

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service app slots should disable public network access

701a595d-38fb-4a66-ae6d-fb3735217622

App Service

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

App Service apps should disable public network access

1b5ef780-c53c-4a64-87f3-bb9c8c8094ba

App Service

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

App Service Environment apps should not be reachable over public internet

2d048aca-6479-4923-88f5-e2ac295d9af3

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Automation accounts should disable public network access

955a914f-bf86-4f0e-acd5-e0766b0efcb6

Automation

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure AI Services resources should restrict network access

037eea7a-bd0a-46c5-9a66-03aea78705d3

Azure Ai Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Cache for Redis should disable public network access

470baccb-7e51-4549-8b1a-3e5be069f663

Cache

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Cognitive Search services should disable public network access

ee980b6d-0eca-4501-8d54-f6290fd512c3

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Cosmos DB should disable public network access

797b37f7-06b8-444c-b1ad-fc62867f335a

Cosmos DB

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Event Grid domains should disable public network access

f8f774be-6aee-492a-9e29-486ef81f3a68

Event Grid

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Event Grid topics should disable public network access

1adadefe-5f21-44f7-b931-a59b54ccdb45

Event Grid

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Key Vault should disable public network access

405c5871-3e91-4644-8a63-58e19d68ff5b

Key Vault

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Kubernetes Service Private Clusters should be enabled

040732e8-d947-40b8-95d6-854c95024bf8

Kubernetes

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Machine Learning Workspaces should disable public network access

438c38d2-3772-465a-a9cc-7a6666a275ce

Machine Learning

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Managed Grafana workspaces should disable public network access

e8775d5a-73b7-4977-a39b-833ef0114628

Managed Grafana

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure SQL Managed Instances should disable public network access

9dfea752-dd46-4766-aed1-c355fa93fb91

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Synapse workspaces should disable public network access

38d8df46-cf4e-4073-8e03-48c24b29de0d

Synapse

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Virtual Desktop hostpools should disable public network access

c25dcf31-878f-4eba-98eb-0818fdc6a334

Desktop Virtualization

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Virtual Desktop workspaces should disable public network access

87ac3038-c07a-4b92-860d-29e270a4f3cd

Desktop Virtualization

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Bot Service should have public network access disabled

5e8168db-69e3-4beb-9822-57cb59202a9d

Bot Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Container Apps environment should disable public network access

d074ddf8-01a5-4b5e-a2b8-964aed452c0a

Container Apps

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Container Apps should disable external network access

783ea2a8-b8fd-46be-896a-9ae79643a0b1

Container Apps

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Event Hub Namespaces should disable public network access

0602787f-9896-402a-a6e1-39ee63ee435e

Event Hub

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Function app slots should disable public network access

11c82d0c-db9f-4d7b-97c5-f3f9aa957da2

App Service

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

Function apps should disable public network access

969ac98b-88a8-449f-883c-2e9adb123127

App Service

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

Logic apps should disable public network access

Deny-LogicApp-Public-Network

Logic Apps

Default
Deny
Allowed
Audit, Deny, Disabled

ALZ

Managed disks should disable public network access

8405fdab-1faf-48aa-b702-999c9c172094

Compute

Default
Audit
Allowed
Audit, Disabled

BuiltIn

Public network access on Azure Data Explorer should be disabled

43bc7be6-5e69-4b0d-a2bb-e815557ca673

Azure Data Explorer

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access on Azure Data Factory should be disabled

1cf164be-6819-4a50-b8fa-4bcaa4f98fb6

Data Factory

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access on Azure SQL Database should be disabled

1b8ca024-1d5c-4dec-8995-b1a932b41780

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for Azure File Sync

21a8cd35-125e-4d13-b82d-2e19b7208bb7

Storage

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for Batch accounts

74c5a0ae-5e48-4738-b093-65e23a060488

Batch

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for Container registries

0fdf0491-d080-4575-b627-ad0e843cba0f

Container Registry

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for MariaDB servers

fdccbe47-f3e3-4213-ad5d-ea459b2fa077

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for MySQL flexible servers

c9299215-ae47-4f50-9c54-8a392f68a052

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for MySQL servers

d9844e8a-1437-4aeb-a32c-0c992f056095

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for PostgreSQL flexible servers

5e1de0e3-42cb-4ebc-a86d-61d0c619ca48

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Public network access should be disabled for PostgreSQL servers

b52376f7-9612-48a1-81cd-1ffe4b61032c

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Service Bus Namespaces should disable public network access

cbd11fd3-3002-4907-b6c8-579f0e700e13

Service Bus

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Storage accounts should disable public network access

b2982f36-99f2-4db5-8eff-283140c09693

Storage

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn