Understanding Azure Resource Manager: Enforce Standards Using Policies
On 4 minutesIn the previous two posts in this series, we examined how resource grouping and tagging can help you organise your resources, but how do you ensure that new resources follow the rules? We can use the Azure Policy. It is a service you use to create, manage and assign policies.
Policies help enforce rules that you want your resources to follow. Policies can enforce things such as only allowing specific types of resources to be created, or only allowing resources in specific Azure regions. You can enforce naming conventions across your Azure environment. You can also enforce that specific tags are applied to resources.
Policies are inherited by all child resources. If a policy is applied to a resource group, it’s applicable to all the resources in that resource group.
Using the Azure Policy is a two steps process. You
- create a Policy Definition
- then create a Policy Assignment
Policy Definition
A Policy Definition is mainly made up of a Policy rule and the location, which should be a management group or a subscription. The policy rule describes resource compliance and what effect to take when a resource is non-compliant.
The policy rule consists of If and Then blocks. In the If block, you define one or more conditions that specify when the policy is enforced.
If the definition location is a:
- Subscription– Only resources within that subscription can be assigned the policy.
- Management group– Only resources within child management groups and child subscriptions can be assigned the policy.
Note:
If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains those subscriptions.
You use JSON to create a policy definition. The policy definition contains elements for:
- mode
- parameters
- display name
- description
- policy rule
- logical evaluation
- effect
For example, the following JSON shows a policy that limits where resources are deployed:
{
"properties": {
"mode": "all",
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"displayName": "Allowed locations",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
For further reading, go to https://docs.microsoft.com/en-us/azure/governance/policy/
Policy Assignment
To enable a policy, you need to create an assignment. Assignment are scoped, which determines what resources or grouping of resources the policy assignment gets enforced on. You can either scope to a management group or subscription. Optionally, you can scope to a resource group.
When assigning policies, you will be required to specify any parameters you included in your policy definition.
To assign a policy
- Go to the Azure portal. In the search box in the top navigation bar, search for Policy and select the Policy service.
- In the policy pane, in the Authoring section on the left, select Assignments.
- Select Assign policy at the top.
- To assign to a resource group, In the Assign policy pane, under Scope, click the blue …. Select your subscription and the resource group you want to assign to, then click Select.
- For Policy definition, click the blue …. In the Type drop-down, select Custom, select the the policy you created, then click Select.
- In the Parameters section, enter your parameters.
Other posts in this series
- Understanding Azure Resource Manager: Control and Organize Azure Resources
- Understanding Azure Resource Manager: Resource Groups
- Understanding Azure Resource Manager: Take advantage of Tags
- Understanding Azure Resource Manager: Enforce Standards Using Policies
- Understanding Azure Resource Manager: Use resource locks to protect resources