Azure Policy Explained with Example [Step-by-Step]


Azure

Author: Sahil Hulage
Reviewer: Deepak Prasad

 

Azure Policy Overview

While organizations are transitioning towards deploying more and more resources in the cloud, it becomes imperative to ensure that the resources being deployed are in accordance with the organization’s standards. In this article, we will understand how we can ensure that our resources in the Azure cloud stay compliant via the use of Azure Policies.

Azure Policy is a service in Azure that you use to create, assign and manage policies. These polices are a mechanism through which we enforce compliance and enable auditing across our organization. Azure Policy does this by running evaluations of your resources and scanning for those not compliant with the policies you have created

Given below are the advantages of using Azure Polices:

  • Enforcement and compliance: Turn on built-in policies or build custom ones for all resource types. Real time policy evaluation and enforcement. Periodic and on-demand compliance evaluation.
  • Apply policies at scale: Apply policies to a Management Group with control across your entire organization. Apply multiple policies and aggregate policy states with policy initiative. Define an exclusion scope.
  • Remediation: Real time remediation, and remediation on existing resources.

 

Here are some use cases for Azure Polices:

  • Specify the resource types that your organization can deploy.
  • Prohibit the creation of resources for controlling costs.
  • Restrict access to a service when we don’t want it being deployed.
  • Specify a set of virtual machine SKUs that your organization can deploy.
  • Restrict the locations your organization can specify when deploying resources to enforce geographical compliance.
  • Enforce a required tag and its value.
  • Audit if Azure Backup service is enabled for all Virtual machines.

 

We can implement Azure Policies at various scopes within our organization. These are as follows:

  • Management groups
  • Subscriptions
  • Resource groups
  • Individual resources

 

Azure Policy components

Policy definition

These are used to define what we will be monitoring for compliance and we also define the actions that will take place based on that evaluation. Azure offers several inbuilt policy definitions that we can use. Some of them are listed below.

  • Allowed Storage Account SKUs (Deny): Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
  • Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.
  • Allowed Locations (Deny): Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
  • Allowed Virtual Machine SKUs (Deny): Specifies a set of virtual machine SKUs that you can deploy.
  • Add a tag to resources (Modify): Applies a required tag and its default value if it's not specified by the deploy request.
  • Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

To implement these policy definitions (both built-in and custom definitions), you'll need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.

 

Policy assignment

Once we define our policy, we need to assign it to a scope and that is where policy assignment comes into the picture. We can assign policies to management groups, subscriptions, resource groups or even individual resources within the Azure cloud.

 

Initiative definition

An initiative definition is a collection of policies that are tailored towards achieving a single high-end goal together. They simplify by grouping a set of policies as one single item. For example, ensuring that VMs are deployed as per standards.

 

Azure Policy example

An example of an Azure policy could be a scenario where we require resources to be tagged.

  • Policy definition: In this case, we can define that the virtual machines in our environment must have the tag “linux-cloud”. If this tag is missing then the creation of the virtual machine is denied.
  • Policy assignment: We would assign this policy at the scope of the resource group under which the VMs would be created.

With this policy in effect, when we try to deploy a VM without the required tag in the resource group with the policy applied, then the creation of that virtual machine will be denied.

 

Azure Policy Example

Now that we’ve understood the need of Azure policies, gone through the use cases and its different components, now it’s time to perform some hands on and see Azure policies in action. For the purpose of this demonstration, we’ll be using a built in Azure policy definition.

 

Step 1: Open the Azure policy service pane

Log in to the Azure portal and within the search bar, type policy and select the first result.

Azure Policy Explained with Examples

 

This will bring us to the overview section of our Azure Policy service. If you don’t have any existing policies applied, the page should look similar to the one shown below.

Azure Policy Explained with Examples

This page shows us the overall compliance status of our resources and also if any resources are in a non-compliant state so that we may take corrective actions.

 

Step 2: Create Azure policy definition

Towards the left side of the page, we have a section named authoring and within this section, there is a tab called definitions. Click on this tab to create a policy definition or use an existing one.

Azure Policy Explained with Examples

 

Clicking on the definitions tab takes us to the policy definitions page where we can view all of the pre-existing policies and initiative definitions.

Azure Policy Explained with Examples

 

We can use filters on this page to view only custom or only built-in policies under the type. We can filter polices based on different categories which are basically different Azure services. Also, we can search for a policy by typing the policy name in the search bar. We are going to search for location based policies so we’ll type in the keyword location in the search bar.

Azure Policy Explained with Examples

 

The policy that we are going to use is “allowed locations”. We will click on this policy so that we may examine it.

Azure Policy Explained with Examples

 

What we’ll see here is the JSON that defines the policy. Given below is the full JSON policy definition.

{
   "properties": {
    "displayName": "Allowed locations",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
    "metadata": {
      "version": "1.0.0",
      "category": "General"
    },
    "parameters": {
      "listOfAllowedLocations": {
        "type": "Array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources.",
          "strongType": "location",
          "displayName": "Allowed locations"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "notIn": "[parameters('listOfAllowedLocations')]"
          },
          {
            "field": "location",
            "notEquals": "global"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}

 

Description:

  • The definition contains information related to the policy like the display name, description and many other things. This policy is going to allow us to restrict the locations where we may deploy resources in the Azure cloud. This allows us to enforce geographical compliance in the environment.
  • The parameters section contains a parameter (of type array) named listOfAllowedLocations.
  • The listOfAllowedLocations parameter is being matched in the policy rule section such that any location that is not listed in this parameter will not be allowed. After this condition, we have an exemption section wherein if the field contains the location global or if the resource being created is an Azure Active Directory resource, then the policy is not enforced.
  • In the next section, we see the effect of non-compliance i.e., deny.

 

Step 3: Assign Azure Policy

Right above the policy definition JSON, we see an Assign button. Click on this button and we will now need to select the scope for this policy. We have selected our subscription and a resource group under that subscription.

Azure Policy Explained with Examples

 

We can also site exclusions from this policy if we wish to but we are not going to do this in this demonstration. From here click next. This brings us to the allowed locations parameters section where we need to select the locations, we would like to allow resources to be built in.

Azure Policy Explained with Examples

 

We will select Asia and Asia Pacific.

Azure Policy Explained with Examples

 

Now click review and create and then click on create on the next page.

Azure Policy Explained with Examples

 

This will now create the policy assignment which could take up to 30 minutes to take effect.

 

Step 4: Test the new azure policy

To test the policy, we’ll deliberately attempt to create a virtual machine that is not in one of the two allowed locations. So, we quickly navigate to the Virtual Machine service window in Azure, fill in the subscription, resource group, name and image.

In the region we’ve specified “West US” which is NOT Asia or Asia Pacific.

Azure Policy Explained with Examples

 

With these parameters entered, click on review and create. On the next page, we’ll encounter the following error.

Azure Policy Explained with Examples

 

Click on the arrow to view the error details.

Azure Policy Explained with Examples

 

The above error message clearly states that the VM deployment failed because we were trying to create a VM in a location is not one of the allowed locations thus verifying the successful enforcement of our Azure Policy.

 

Summary

In this article, we discussed the need and benefits of using Azure policy and we also practically demonstrated the enforcement of an Azure policy. We encourage you try out other pre-built Azure polices and examine the different levels and types of restrictions that could be enforced.

 

References

We’ve referred to the official Azure documentation along with the "Control and organize Azure resources with Azure Resource Manager" and "Build a cloud governance strategy on Azure" modules part of the managing resources in Azure learning path.
Azure Policy Overview
Control and organize Azure resources with Azure Resource Manager
Build a cloud governance strategy on Azure

 

Sahil Hulage

Sahil Hulage

He possesses over 5+ years of experience as a Cloud Consultant, specializing in Azure DevOps and CloudLinux. With his expertise, he implements and optimizes cloud solutions, ensuring seamless operations and efficient resource management. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment