Azure Resource Policies Management in the Azure Portal

Posted on 08/02/2018 by Marcel Zehner

A while back I blogged about Azure Policies. Policies can be used as part of Azure Governance to audit and enforce compliance. For instance, it lets you enforce the use of specific regions, or enforces you to tag your resources. I covered the details already in my previous blog post and will not go into the details again. Meanwhile things have changed and there is a graphical implementation available that can be used to manage policies in the Azure portal.

Policy Definitions

The main procedure is still the same: you need to have a policy definition and assign it to a subscription or resource group to become active. A set of policy definitions are delivered that can be used – this gives you a good kick start into this topic.

image

If you take a look at the JSON definition of the policy definitions, you will see how they are constructed. Lots of the definitions use parameters. That means, that when the definition is assigned, you need to pass parameter values. This way, the same policy definitions can easily be reused for different subscriptions and resource groups only by providing different parameter values during assignment time.

image

Assignments

Assigning a policy definition is pretty much straightforward. After giving the assignment a name, one needs to select the assignment scope. This can be a subscription or a specific resource group. After selection, specific resources could be excluded from the assignment. The pricing tier is an important thing: Using the free tier allows you to manage definitions and assignments. The Standard tier however also allows you to check compliance of your environment. At the time of writing, the pricing details were not yet disclosed.

In this example the allowed locations are passed to the definition as parameters. This is why I need to select the locations I want to allow. In this example I selected two regions in Canada. Once the assignment is completed, it is visible in the portal and will be active.

image

image

Initiative Definitions

As an alternative to policy definitions, initiative definitions can be used. Initiative definitions are groups of policies that you can manage as a single entity which makes assignment easier. Actually, you should always use initiatives, even if you only assign a single policy – this way you stay flexible for future requirements changes.

image

Compliance Monitoring

After assigning policies or initiatives, the compliance gets evaluated. In this example, all my resources are non-compliant because they have been deployed to another region than the Canadas. This is immediately visible and allows me to take action if needed.

clip_image002

image

Happy Azure policy management!
Cheers, Marcel

About Marcel Zehner

Microsoft Azure MVP
This entry was posted in Azure and tagged , , , , , , . Bookmark the permalink.

2 Responses to Azure Resource Policies Management in the Azure Portal

  1. Pingback: Azure Blueprints – Overview | marcelzehner.ch

  2. Roman Stadlmair says:
    13/01/2019 at 19:26

    To define a Azure Resource Group Naming policy, use the below logic. It forces the RG name to p-rg-* and t-rg-* .
    {
    “if”: {
    “allOf”: [
    {
    “field”: “name”,
    “notlike”: “p-rg-*”
    },
    {
    “field”: “name”,
    “notlike”: “t-rg-*”
    },
    {
    “field”: “type”,
    “equals”: “Microsoft.Resources/subscriptions/resourceGroups”
    }
    ]
    },
    “then”: {
    “effect”: “deny”
    }
    }

    Reply

Leave a comment