what is Az Policy effect in a Resource Move and in an Edit of a Virtual Network ?

Shridhar Srinivasan 220 Reputation points
2023-07-17T10:44:33.31+00:00

You have an Azure subscription that contains the resources shown in the following table:

Name    Туре                Resource group
VNET1   Virtual network     RG1
VNET2   Virtual network     RG2
VM1     Virtual machine     RG2

The status of VM1 is Running.

You assign an Azure policy to RG2 with "Not allowed Resource types" parameters set for

  • Microsoft.ClassicNetwork/virtualNetworks
  • Microsoft.Network/virtualNetworks
  • Microsoft.Compute/virtualMachines

Q1. Can An administrator move VNET1 to RG2.

Q2. Can An administrator modify the address space of VNet2.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
883 questions
Azure Resource Mover
Azure Resource Mover
An Azure service used for moving multiple resources between Azure regions.
232 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tech-Hyd-1989 5,796 Reputation points
    2023-07-18T07:17:03.3433333+00:00

    Hello Srinivasan, Shridhar (Shridhar)
    Good Day!

    Q1. Can an administrator move VNET1 to RG2?

    No, an administrator cannot move VNET1 to RG2 because the target resource group RG2 has an Azure policy assigned with "Not allowed Resource types" parameters set for Microsoft.Network/virtualNetworks. This policy restricts the creation or movement of virtual networks (VNETs) within RG2.

    Q2. Can an administrator modify the address space of VNet2?

    Yes, an administrator can modify the address space of VNet2. The Azure policy that has been assigned to RG2 does not include any restrictions related to modifying the address space of virtual networks (VNETs). Therefore, the administrator should have the necessary permissions to make changes to the address space of VNet2.

    -Please accept answer and upvote if the above information is helpful for the benefit of the community.

  2. SadiqhAhmed-MSFT 45,181 Reputation points Microsoft Employee
    2023-07-21T20:12:01.7833333+00:00

    @Srinivasan, Shridhar (Shridhar) Thank you for asking your question on Microsoft Q&A platform. Happy to answer any question you may have!

    We only validate that the move doesn’t cause a policy violation in the target resource group, so in your example – RG2 

    RG 1 is currently non-compliant, and policy should already be flagging it that since the VM is violating the policy defined for RG1, but that’s not something we would evaluate during resource move since the resource is already in a non-complaint state. 

    Please see our public docs FAQ section here: Move resources to a new subscription or resource group - Azure Resource Manager | Microsoft Learn 

    Question: What does the error code "RequestDisallowedByPolicy" mean?

    Resource Manager validates your move request before attempting the move. This validation includes checking policies defined on the resources involved in the move. For example, if you're attempting to move a key vault but your organization has a policy to deny the creation of a key vault in the target resource group, validation fails and the move is blocked. The returned error code is RequestDisallowedByPolicy.

    For more information about policies, see What is Azure Policy?.
    Reg: 2nd question: How does Modify come into the picture here? What is meant by modify the address space?

    If the resource is being moved across RGs, and RG2 has a deny of that resource type, a modify policy will not take effect since the type is disallowed by the scope. 

    If the response helped, do "Accept Answer" and up-vote it

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.