When companies use Azure to deploy and use resources, they should use strict guidelines to safeguard their subscriptions and keep the quality at a high level. They need to make sure that resources are placed in the correct resource groups, in the correct region or that all the provisioned resources are correctly named and tagged. These are only some examples where Azure resource policies come into play because they allow how Azure resources can be provisioned and what is not compliant with the company policy.
Policies are built based on a simple “if-then” principle. If some condition is true (e.g. if a resource has no tags) there will be a specific action (e.g. allow or deny). Here are some examples what you can enforce with Azure resource policies:
- Azure resources can only be deployed when they are completely tagged, if not, the resources will not be created (goal: data quality and transparency)
- Only specific Azure resources can be deployed, everything else is denied (goal: service control)
- Azure resources should follow a specific naming scheme, if not, they cannot be created (goal: consistent naming)
- Azure resources can only be deployed when they are placed in a specific region, otherwise the creation fails (goal: geo-compliance)
There are many more scenarios of course. However, I will not cover all the background in this post because most of the information is already available somewhere out there. Check out this website for more details about Azure resource policies, how they compare to RBAC and what exact possibilities they offer. What I will cover in this blog post however is a complete walkthrough how to create a policy, assign it and test it.
Step 1 – Create a Policy File
The very first step is to create a policy file. This is pretty simple because it’s a simple-to-read JSON file. I will use Visual Studio to create this file.
To make the creation process easier, I will add a schema URL. After this URL is added, IntelliSense is available to create the file. By hitting Ctrl+Space somewhere in the structure you will see the available options.
The policy file I create will allow Azure admins to deploy new Azure resources only in the West Europe and East US region. No other region should will be allowed. After a minute or two, the finished file will look something like this:
You can see the “If”-“Then”-structure that means, if a new resource will be created and the location will be “West Europe” or “East US”, the creation will happen, if the resource is provisioned into another region the creation will be denied.
Step 2 – Create a Policy Definition
Now as we have JSON file ready it’s time to use it to create a new policy definition in Azure. I use Powershell ISE to accomplish this task. For this walkthrough I will create a new resource group where I will assign the policy later.
Select-AzureRMSubscription -SubscriptionName “Sub2”
New-AzureRmResourceGroup -Name “AzurePolicyTest” -Location WestEurope
$PolicyDefinition = New-AzureRmPolicyDefinition `
-Name LimitLocations `
-DisplayName LimitLocations `
-Description “Only allow West Europe and East US Locations” `
See the last command that actually creates the policy in Azure. This is where I use the JSON file I prepared in the step 1. The creation of the policy is done within seconds. You can check what policy definitions are available in your Azure environment.
Get-AzureRmPolicyDefinition | Select Name
It’s important to understand that after the policy was created, it has no effect unless it is assigned. This is what we will do in the next step.
Step 3 – Assign a Policy Definition
Now as the policy is ready and available in Azure, I need to assign it somewhere. Policies can be assigned at 3 different levels.
- Resource Group
The policy target is dependent on what you want to accomplish with your policy. In this example I will assign the policy definition to the newly created resource group. That means, that newly provisioned services in this resource groups can only be located in the West Europe or East US regions whereas resources that are places in other resource groups can still be places in all available regions.
$PolicyAssignmentName = “LimitLocationsTest”
$RG = Get-AzureRmResourceGroup -Name “AzureResourcePolicyTest”
$Scope = “/subscriptions/$($Sub.Subscription.SubscriptionId)/resourceGroups/$($RG.ResourceGroupName)”
New-AzureRmPolicyAssignment -Name $PolicyAssignmentName -PolicyDefinition $PolicyDefinition -Scope $Scope
Step 4 – Test the Configuration
Now it’s time to test the configuration. For that I will create a new storage account and select a region that is explicitly disallowed by the policy I just created.
After a few seconds an error is displayed. By clicking on it, more details will be shown.
The error is also visible in the Azure Monitor and allows you to easily analyze if your policies are working as expected in your environment.
That’s it, mission accomplished! Start working on your Azure resource policy strategy today and implement them to keep your Azure environment nice and clean, compliant and secure.