A while back I blogged about Azure Policies. Policies can be used as part of Azure Governance to audit and enforce compliance. For instance, it lets you enforce the use of specific regions, or enforces you to tag your resources. I covered the details already in my previous blog post and will not go into the details again. Meanwhile things have changed and there is a graphical implementation available that can be used to manage policies in the Azure portal.
The main procedure is still the same: you need to have a policy definition and assign it to a subscription or resource group to become active. A set of policy definitions are delivered that can be used – this gives you a good kick start into this topic.
If you take a look at the JSON definition of the policy definitions, you will see how they are constructed. Lots of the definitions use parameters. That means, that when the definition is assigned, you need to pass parameter values. This way, the same policy definitions can easily be reused for different subscriptions and resource groups only by providing different parameter values during assignment time.
Assigning a policy definition is pretty much straightforward. After giving the assignment a name, one needs to select the assignment scope. This can be a subscription or a specific resource group. After selection, specific resources could be excluded from the assignment. The pricing tier is an important thing: Using the free tier allows you to manage definitions and assignments. The Standard tier however also allows you to check compliance of your environment. At the time of writing, the pricing details were not yet disclosed.
In this example the allowed locations are passed to the definition as parameters. This is why I need to select the locations I want to allow. In this example I selected two regions in Canada. Once the assignment is completed, it is visible in the portal and will be active.
As an alternative to policy definitions, initiative definitions can be used. Initiative definitions are groups of policies that you can manage as a single entity which makes assignment easier. Actually, you should always use initiatives, even if you only assign a single policy – this way you stay flexible for future requirements changes.
After assigning policies or initiatives, the compliance gets evaluated. In this example, all my resources are non-compliant because they have been deployed to another region than the Canadas. This is immediately visible and allows me to take action if needed.
Happy Azure policy management!