Giters

dmauser / opnazure

This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Deployment fails with error (ip forwarding policy)

minosandro opened this issue · comments

commented

Looks like Azure updated the security policies and the deployment of OPNSense fails with the error below:

{ "status": "Failed", "error": { "code": "DeploymentFailed", "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.", "details": [ { "code": "BadRequest", "message": "{\r\n \"error\": {\r\n \"code\": \"InvalidTemplateDeployment\",\r\n \"message\": \"The template deployment failed because of policy violation. Please see details for more information.\",\r\n \"details\": [\r\n {\r\n \"code\": \"RequestDisallowedByPolicy\",\r\n \"target\": \"OPNsense-Untrusted-NIC\",\r\n \"message\": \"Resource 'OPNsense-Untrusted-NIC' was disallowed by policy. Policy identifiers: '[{\\\"policyAssignment\\\":{\\\"name\\\":\\\"Network interfaces should disable IP forwarding\\\",\\\"id\\\":\\\"/providers/Microsoft.Management/managementGroups/IGT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-forwarding\\\"},\\\"policyDefinition\\\":{\\\"name\\\":\\\"Network interfaces should disable IP forwarding\\\",\\\"id\\\":\\\"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\\\"}}]'.\",\r\n \"additionalInfo\": [\r\n {\r\n \"type\": \"PolicyViolation\",\r\n \"info\": {\r\n \"policyDefinitionDisplayName\": \"Network interfaces should disable IP forwarding\",\r\n \"evaluationDetails\": {\r\n \"evaluatedExpressions\": [\r\n {\r\n \"result\": \"True\",\r\n \"expressionKind\": \"Field\",\r\n \"expression\": \"type\",\r\n \"path\": \"type\",\r\n \"expressionValue\": \"Microsoft.Network/networkInterfaces\",\r\n \"targetValue\": \"Microsoft.Network/networkInterfaces\",\r\n \"operator\": \"Equals\"\r\n },\r\n {\r\n \"result\": \"True\",\r\n \"expressionKind\": \"Field\",\r\n \"expression\": \"Microsoft.Network/networkInterfaces/enableIpForwarding\",\r\n \"path\": \"properties.enableIPForwarding\",\r\n \"expressionValue\": true,\r\n \"targetValue\": \"true\",\r\n \"operator\": \"Equals\"\r\n }\r\n ]\r\n },\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\r\n \"policyDefinitionName\": \"88c0b9da-ce96-4b03-9635-f29a937e2900\",\r\n \"policyDefinitionEffect\": \"deny\",\r\n \"policyAssignmentId\": \"/providers/Microsoft.Management/managementGroups/IGT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-forwarding\",\r\n \"policyAssignmentName\": \"Deny-IP-forwarding\",\r\n \"policyAssignmentDisplayName\": \"Network interfaces should disable IP forwarding\",\r\n \"policyAssignmentScope\": \"/providers/Microsoft.Management/managementGroups/IGT-landingzones\"\r\n }\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}" }, { "code": "BadRequest", "message": "{\r\n \"error\": {\r\n \"code\": \"InvalidTemplateDeployment\",\r\n \"message\": \"The template deployment failed because of policy violation. Please see details for more information.\",\r\n \"details\": [\r\n {\r\n \"code\": \"RequestDisallowedByPolicy\",\r\n \"target\": \"OPNsense-Trusted-NIC\",\r\n \"message\": \"Resource 'OPNsense-Trusted-NIC' was disallowed by policy. Policy identifiers: '[{\\\"policyAssignment\\\":{\\\"name\\\":\\\"Network interfaces should disable IP forwarding\\\",\\\"id\\\":\\\"/providers/Microsoft.Management/managementGroups/IGT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-forwarding\\\"},\\\"policyDefinition\\\":{\\\"name\\\":\\\"Network interfaces should disable IP forwarding\\\",\\\"id\\\":\\\"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\\\"}}]'.\",\r\n \"additionalInfo\": [\r\n {\r\n \"type\": \"PolicyViolation\",\r\n \"info\": {\r\n \"policyDefinitionDisplayName\": \"Network interfaces should disable IP forwarding\",\r\n \"evaluationDetails\": {\r\n \"evaluatedExpressions\": [\r\n {\r\n \"result\": \"True\",\r\n \"expressionKind\": \"Field\",\r\n \"expression\": \"type\",\r\n \"path\": \"type\",\r\n \"expressionValue\": \"Microsoft.Network/networkInterfaces\",\r\n \"targetValue\": \"Microsoft.Network/networkInterfaces\",\r\n \"operator\": \"Equals\"\r\n },\r\n {\r\n \"result\": \"True\",\r\n \"expressionKind\": \"Field\",\r\n \"expression\": \"Microsoft.Network/networkInterfaces/enableIpForwarding\",\r\n \"path\": \"properties.enableIPForwarding\",\r\n \"expressionValue\": true,\r\n \"targetValue\": \"true\",\r\n \"operator\": \"Equals\"\r\n }\r\n ]\r\n },\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\r\n \"policyDefinitionName\": \"88c0b9da-ce96-4b03-9635-f29a937e2900\",\r\n \"policyDefinitionEffect\": \"deny\",\r\n \"policyAssignmentId\": \"/providers/Microsoft.Management/managementGroups/IGT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-forwarding\",\r\n \"policyAssignmentName\": \"Deny-IP-forwarding\",\r\n \"policyAssignmentDisplayName\": \"Network interfaces should disable IP forwarding\",\r\n \"policyAssignmentScope\": \"/providers/Microsoft.Management/managementGroups/IGT-landingzones\"\r\n }\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}" } ] } }

commented

Sorry, it was a subscription problem, the subscription I'm using has a policy that denies the IP forwarding on network interfaces.