I am trying to write a policy which identifies all VM's attached to a specified subnet and ensure that they are backed up to a specified Backup Vault within the same location. Identifying the VM's is easy but restricting the VM's that are attached to a specified subnet is proving difficult.

My test environment contains 3 VM's 2 connected to 1 subnet with the other connected to a different subnet but I have been unable to get this to correctly select the affected resources (1 or 2 VM's) depending on the subnet chosen when running the policy.

Below is the basis of the test but it is not working. Any help would be appreciated.

"parameters": {
    "subnetId": {
        "type": "String",
        "metadata": {
            "displayName": "Subnet which contains the VM's to backup.",
            "description": "Specify to subnet the the VM's are connected to.",
            "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
    },
"vaultLocation": {
    "type": "String",
    "metadata": {
        "displayName": "Location (Specify the location of the VMs that you want to protect)",
        "description": "Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location. For example - CanadaCentral",
        "strongType": "location"
    }
}
....

"policyRule": {
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].subnet.id",
                "equals": "[parameters('subnetId')]"
            },
            {
                "field": "location",
                "equals": "[parameters('vaultLocation')]"
            }
       ]
   }
   ....
}