diff --git a/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled.json b/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled.json new file mode 100644 index 0000000..253cd2e --- /dev/null +++ b/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled.json @@ -0,0 +1,59 @@ +{ + "properties": { + "displayName": "Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled", + "policyType": "Custom", + "mode": "All", + "description": "Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled.\n\nNote: The Policy checks if DDoS Protection (Virtual Network Inherited or IP Protection is enabled on all Public IP addresses. For Azure Firewall Public IP addresses that do not have DDoS Protection, a non compliance state is returned. ", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + { + "field": "Microsoft.Network/publicIPAddresses/ipConfiguration.id", + "contains": "/providers/Microsoft.Network/applicationGateways/" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/ddosSettings.protectionMode", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.Network/publicIPAddresses/ddosSettings.protectionMode", + "notEquals": "VirtualNetworkInherited" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0" + ] + } +} \ No newline at end of file diff --git a/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/README.md b/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/README.md new file mode 100644 index 0000000..98a9993 --- /dev/null +++ b/Azure DDoS Protection/Policy - Azure Policy Definitions/Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled/README.md @@ -0,0 +1,3 @@ +## Public IPs Associated with Azure Application Gateway Should Have DDoS Protection Enabled + +This policy makes sure that Azure Application Gateway Public IPs are protected with Azure DDoS Protection.