Deny-AFSPaasPublicIP.AzureChinaCloud.json

{
  "name": "Deny-AFSPaasPublicIP",
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2021-06-01",
  "scope": null,
  "properties": {
    "policyType": "Custom",
    "mode": "Indexed",
    "displayName": "Public network access should be disabled for Azure File Sync",
    "description": "Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
        "AzureChinaCloud"
      ]
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.StorageSync/storageSyncServices"
          },
          {
            "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy",
            "notEquals": "AllowVirtualNetworksOnly"
          }
        ]
      },
      "then": {
        "effect": "[[parameters('effect')]"
      }
    }
  }
}