Skip to content

Prevent Assignment of Reserved CIDRs to Subnets #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MrCaedes wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Prevent Assignment of Reserved CIDRs to Subnets #522

MrCaedes wants to merge 3 commits into from

Conversation

@MrCaedes
Copy link
Contributor

@MrCaedes MrCaedes commented Jan 9, 2026

Overview

This PR introduces a new Azure Policy definition as part of /Network.

The policy enables for CIDRs to be configured as non-usable by subnets; this can be useful in self-governing teams where a large range is allocated - but wish to earmark portions for specific purposes, such as future expansion, shared services, etc.

Problem Statement

In enterprise environments with decentralized subscription ownership, teams often receive large IP address allocations to manage independently. Without guardrails, there's a risk that subnets could inadvertently consume IP ranges earmarked for,

  • Shared Services (e.g., if the team is offering a service to others)
  • Future Growth (e.g., planned expansions of AKS, etc)

What the Policy Does

This policy uses ipRangeContains to perform bi-directional overlap detection.

The intent is for this to be used in combination with "Exemptions", to provide just-in-time provisioning ability - whilst providing a hard guardrail.

If Azure Policy becomes identity-aware in the future, there is also scope for this to be used such that only X user may leverage specific ranges - useful in platform-team scenarios.

@MrCaedes
Prevent Assignment of Reserved CIDRs to Subnets
635fef1 
Addition of new policy definition under /Network, which facilitates blocking the use of reserved ranges - ideal in enterprise environments where ranges have/are being reserved for specific use-cases.

Users can leverage exemptions or exclusions to facilitate subnet deployment; if Azure Policy becomes identity aware in the future, too, there is room for platform-team exclusions, etc.
@MrCaedes
nudge: addition of "Disabled"
fe89447 
From `azurepolicy.json`, addition of `Disabled` as a valid parameter.
@MrCaedes
Switch Policy Name to Generated GUID
1d17b1a 
https://github.com/Azure/Community-Policy/actions/runs/20856638564/job/60368641573
@gregslack78
Copy link
Contributor

gregslack78 commented Jan 21, 2026

Going to test this one and put it through the policy authoring agent.

@gregslack78
Copy link
Contributor

gregslack78 commented Jan 21, 2026

Policy authoring agent output...

Evaluation:
Correctness:
The logic for detecting overlap uses Azure's built-in ipRangeContains function to ensure checks are done against both the CIDR ranges and the subnets.
Functionality:
This policy should work as intended, evaluating virtual networks and subnets for compliance with the restricted CIDR ranges provided.
Conclusion:
The policy should effectively enforce limits on CIDR overlap, with a configurable effect to either audit or deny infractions. It should operate properly in Azure environments as long as the defined logic matches the expected compliance rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MrCaedes @gregslack78