Deny users from creating a vms with public ip addresses

Question

I am trying to deny users from creating a vms with public ip addresses.

I am getting the following error - value not accepted on this - "field": "Microsoft.Network/publicIPAddresses.ipConfiguration.id",

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
         "field": "type",
         "equals": "Microsoft.Network/publicIPAddresses"
        },
        {
          "not": {
           "field": "Microsoft.Network/publicIPAddresses.ipConfiguration.id",
           "exists": "true"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Answer 1

Deny users from creating a vms with public ip addresses

The policy you are using will deny any resource with a public IP, and the field in policy also is not correct.

"field": "Microsoft.Network/publicIPAddresses.ipConfiguration.id",

Here is the correct field:

"field":"Microsoft.Network/publicIPAddresses/ipConfiguration.id",

Here is the updated policy to deny users from creating a VMS with public ip addresses.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachineScaleSets"
        },
        {
          "not": {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].publicIPAddressConfiguration",
            "exists": "false"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

After assigning the policy to the specified scope, it denies the creation of VMS with public IPs, as shown below.