AzInitiativeAdvertizer

last sync: 2025-Apr-30 18:25:10 UTC
this is the development/test site - data is not accurate. Go to prod

Public network access should be disabled for PaaS services

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-PublicPaaSEndpoints

Display name

Public network access should be disabled for PaaS services

Id

Deny-PublicPaaSEndpoints

Version

5.2.0
Details on versioning

Category

Network

Description

This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints

Cloud environments

AzureCloud

Type

Custom Azure Landing Zones (ALZ)

Deprecated

False

Preview

False

Policy-used summary

Policy types	Policy states	Policy categories
Total Policies: 45 Builtin Policies: 44 Static Policies: 0 ALZ Policies: 1	Deprecated: 1 GA: 42 Preview: 2	29 categories: API Management: 1 App Configuration: 1 App Service: 5 Automation: 1 Azure Ai Services: 1 Azure Data Explorer: 1 Backup: 1 Batch: 1 Bot Service: 1 Cache: 1 Cognitive Services: 1 Compute: 1 Container Apps: 2 Container Registry: 1 Cosmos DB: 1 Data Factory: 1 Desktop Virtualization: 2 Event Grid: 2 Event Hub: 1 Key Vault: 2 Kubernetes: 1 Logic Apps: 1 Machine Learning: 1 Managed Grafana: 1 Search: 1 Service Bus: 1 SQL: 7 Storage: 3 Synapse: 1

Policy-used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State	Type	policy in AzUSGov
[Deprecated]: Cognitive Services accounts should disable public network access	0725b4dd-7e76-479c-a735-68e7ee23d5ca	Cognitive Services	Default Disabled Allowed Audit, Deny, Disabled	0		Deprecated	BuiltIn	unknown
[Preview]: Azure Key Vault Managed HSM should disable public network access	19ea9d63-adee-4431-a95e-1913c6c1c75f	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		Preview	BuiltIn	unknown
[Preview]: Azure Recovery Services vaults should disable public network access	9ebbbba3-4d65-4da9-bb67-b22cfaaff090	Backup	Default Audit Allowed Audit, Deny, Disabled	0		Preview	BuiltIn	unknown
API Management should disable public network access to the service configuration endpoints	df73bd95-24da-4a4f-96b9-4e8b94b402bd	API Management	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	BuiltIn	unknown
App Configuration should disable public network access	3d9f5e4c-9947-4579-9539-2a7695fbc187	App Configuration	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service app slots should disable public network access	701a595d-38fb-4a66-ae6d-fb3735217622	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA	BuiltIn	true
App Service apps should disable public network access	1b5ef780-c53c-4a64-87f3-bb9c8c8094ba	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA	BuiltIn	true
App Service Environment apps should not be reachable over public internet	2d048aca-6479-4923-88f5-e2ac295d9af3	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Automation accounts should disable public network access	955a914f-bf86-4f0e-acd5-e0766b0efcb6	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure AI Search services should disable public network access	ee980b6d-0eca-4501-8d54-f6290fd512c3	Search	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure AI Services resources should restrict network access	037eea7a-bd0a-46c5-9a66-03aea78705d3	Azure Ai Services	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Cache for Redis should disable public network access	470baccb-7e51-4549-8b1a-3e5be069f663	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure Cosmos DB should disable public network access	797b37f7-06b8-444c-b1ad-fc62867f335a	Cosmos DB	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Event Grid domains should disable public network access	f8f774be-6aee-492a-9e29-486ef81f3a68	Event Grid	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure Event Grid topics should disable public network access	1adadefe-5f21-44f7-b931-a59b54ccdb45	Event Grid	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure Key Vault should disable public network access	405c5871-3e91-4644-8a63-58e19d68ff5b	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Kubernetes Service Private Clusters should be enabled	040732e8-d947-40b8-95d6-854c95024bf8	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Machine Learning Workspaces should disable public network access	438c38d2-3772-465a-a9cc-7a6666a275ce	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Managed Grafana workspaces should disable public network access	e8775d5a-73b7-4977-a39b-833ef0114628	Managed Grafana	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure SQL Managed Instances should disable public network access	9dfea752-dd46-4766-aed1-c355fa93fb91	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Synapse workspaces should disable public network access	38d8df46-cf4e-4073-8e03-48c24b29de0d	Synapse	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure Virtual Desktop hostpools should disable public network access	c25dcf31-878f-4eba-98eb-0818fdc6a334	Desktop Virtualization	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Azure Virtual Desktop workspaces should disable public network access	87ac3038-c07a-4b92-860d-29e270a4f3cd	Desktop Virtualization	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Bot Service should have public network access disabled	5e8168db-69e3-4beb-9822-57cb59202a9d	Bot Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Container Apps environment should disable public network access	d074ddf8-01a5-4b5e-a2b8-964aed452c0a	Container Apps	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Container Apps should disable external network access	783ea2a8-b8fd-46be-896a-9ae79643a0b1	Container Apps	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Event Hub Namespaces should disable public network access	0602787f-9896-402a-a6e1-39ee63ee435e	Event Hub	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Function app slots should disable public network access	11c82d0c-db9f-4d7b-97c5-f3f9aa957da2	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA	BuiltIn	true
Function apps should disable public network access	969ac98b-88a8-449f-883c-2e9adb123127	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA	BuiltIn	true
Logic apps should disable public network access	Deny-LogicApp-Public-Network	Logic Apps	Default Deny Allowed Audit, Deny, Disabled	0		GA	ALZ
Managed disks should disable public network access	8405fdab-1faf-48aa-b702-999c9c172094	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access on Azure Data Explorer should be disabled	43bc7be6-5e69-4b0d-a2bb-e815557ca673	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access on Azure Data Factory should be disabled	1cf164be-6819-4a50-b8fa-4bcaa4f98fb6	Data Factory	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access on Azure SQL Database should be disabled	1b8ca024-1d5c-4dec-8995-b1a932b41780	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Public network access should be disabled for Azure File Sync	21a8cd35-125e-4d13-b82d-2e19b7208bb7	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Public network access should be disabled for Batch accounts	74c5a0ae-5e48-4738-b093-65e23a060488	Batch	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access should be disabled for Container registries	0fdf0491-d080-4575-b627-ad0e843cba0f	Container Registry	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Public network access should be disabled for MariaDB servers	fdccbe47-f3e3-4213-ad5d-ea459b2fa077	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access should be disabled for MySQL flexible servers	c9299215-ae47-4f50-9c54-8a392f68a052	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access should be disabled for MySQL servers	d9844e8a-1437-4aeb-a32c-0c992f056095	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access should be disabled for PostgreSQL flexible servers	5e1de0e3-42cb-4ebc-a86d-61d0c619ca48	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
Public network access should be disabled for PostgreSQL servers	b52376f7-9612-48a1-81cd-1ffe4b61032c	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Service Bus Namespaces should disable public network access	cbd11fd3-3002-4907-b6c8-579f0e700e13	Service Bus	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Storage account public access should be disallowed	4fa4b6c0-31ca-4c0d-b10d-24b96f62a751	Storage	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	BuiltIn	unknown
Storage accounts should disable public network access	b2982f36-99f2-4db5-8eff-283140c09693	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown

Roles used

No Roles used

History

none

JSON compare

compare mode: version left: version right:

JSON

EPAC