In the previous two posts in this series, we examined how resource grouping and tagging can help you organise your resources, but how do you ensure that new resources follow the rules? We can use the Azure Policy. It is a service you use to create, manage and assign policies.

Policies help enforce rules that you want your resources to follow. Policies can enforce things such as only allowing specific types of resources to be created, or only allowing resources in specific Azure regions. You can enforce naming conventions across your Azure environment. You can also enforce that specific tags are applied to resources.

Policies are inherited by all child resources. If a policy is applied to a resource group, it’s applicable to all the resources in that resource group.

Using the Azure Policy is a two steps process. You

  1. create a Policy Definition
  2. then create a Policy Assignment

Policy Definition

A Policy Definition is mainly made up of a Policy rule and the location, which should be a management group or a subscription. The policy rule describes resource compliance and what effect to take when a resource is non-compliant.

The policy rule consists of If and Then blocks. In the If block, you define one or more conditions that specify when the policy is enforced.

If the definition location is a:

  • Subscription– Only resources within that subscription can be assigned the policy.
  • Management group– Only resources within child management groups and child subscriptions can be assigned the policy.

Note:

If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains those subscriptions.

You use JSON to create a policy definition. The policy definition contains elements for:

  • mode
  • parameters
  • display name
  • description
  • policy rule
    • logical evaluation
    • effect

For example, the following JSON shows a policy that limits where resources are deployed:

{
    "properties": {
        "mode": "all",
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                }
            }
        },
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "policyRule": {
            "if": {
                "not": {
                    "field": "location",
                    "in": "[parameters('allowedLocations')]"
                }
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

For further reading, go to https://docs.microsoft.com/en-us/azure/governance/policy/

Policy Assignment

To enable a policy, you need to create an assignment. Assignment are scoped, which determines what resources or grouping of resources the policy assignment gets enforced on. You can either scope to a management group or subscription. Optionally, you can scope to a resource group.

When assigning policies, you will be required to specify any parameters you included in your policy definition.

To assign a policy

  1. Go to the Azure portal. In the search box in the top navigation bar, search for Policy and select the Policy service.
  2. In the policy pane, in the Authoring section on the left, select Assignments.
  3. Select Assign policy at the top.
  4. To assign to a resource group, In the Assign policy pane, under Scope, click the blue . Select your subscription and the resource group you want to assign to, then click Select.
  5. For Policy definition, click the blue . In the Type drop-down, select Custom, select the the policy you created, then click Select.
  6. In the Parameters section, enter your parameters.