Restrict the Assignment of Public IPs on Azure VMs

In this Microsoft Azure blog post, we will show how to restrict the assignment of public IP addresses to Virtual Machines running in Azure.

Exposing virtual machines directly to the internet via public IP can open the door to many unnecessary security vulnerabilities.

In this post, we will show how you could prevent the assignment of IPs to VMs using Azure Policy.

Azure Policy allows us to apply built-in and out-of-the-box compliance policies to resources running in Azure. We can also create custom policies for more advanced compliance requirements.

This post will focus on applying a built-in policy that restricts the assignment of public IPs to VMs in a specific subscription.

Create Policy

To create a policy, Open the Azure Policy console

Click on Definitions

In the search box, paste the following text “Network interfaces should not have public IPs” and click on the policy in the search results window.

From the policy page, Click on Assign

Select the scope and complete the policy configuration.

Under the Remediation tab, please tick the box to create a system-managed identity to allow Azure policy to tag resources with their compliance status.

Add an informative message for non-compliance message in case someone tries to create a public IP.

Finish the configuration steps and deploy the policy.

PowerShell Code

The following PowerShell code will do the same as using the Azure Policy console.

# Login to Azure

# Select your subscription
Select-AzSubscription -SubscriptionId <Your-Subscription-Id>

# Define the policy
$policyDefinition = New-AzPolicyDefinition -Name "restrict-public-ip" -DisplayName "Restrict Public IP Addresses" -description "This policy restricts the assignment of public IPs to Network Interfaces" 
-Policy '{
    "if": {
        "allOf": [
                "field": "type",
                "equals": "Microsoft.Network/networkInterfaces"
                "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*]",
                "exists": true
    "then": {
        "effect": "deny"

# Assign the policy to a scope
New-AzPolicyAssignment -Name "restrict-public-ip-assignment" -Scope "/subscriptions/<Your-Subscription-Id>" -PolicyDefinition $policyDefinition






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.