Azure Policy Overview
While organizations are transitioning towards deploying more and more resources in the cloud, it becomes imperative to ensure that the resources being deployed are in accordance with the organization’s standards. In this article, we will understand how we can ensure that our resources in the Azure cloud stay compliant via the use of Azure Policies.
Azure Policy is a service in Azure that you use to create, assign and manage policies. These polices are a mechanism through which we enforce compliance and enable auditing across our organization. Azure Policy does this by running evaluations of your resources and scanning for those not compliant with the policies you have created
Given below are the advantages of using Azure Polices:
- Enforcement and compliance: Turn on built-in policies or build custom ones for all resource types. Real time policy evaluation and enforcement. Periodic and on-demand compliance evaluation.
- Apply policies at scale: Apply policies to a Management Group with control across your entire organization. Apply multiple policies and aggregate policy states with policy initiative. Define an exclusion scope.
- Remediation: Real time remediation, and remediation on existing resources.
Here are some use cases for Azure Polices:
- Specify the resource types that your organization can deploy.
- Prohibit the creation of resources for controlling costs.
- Restrict access to a service when we don’t want it being deployed.
- Specify a set of virtual machine SKUs that your organization can deploy.
- Restrict the locations your organization can specify when deploying resources to enforce geographical compliance.
- Enforce a required tag and its value.
- Audit if Azure Backup service is enabled for all Virtual machines.
We can implement Azure Policies at various scopes within our organization. These are as follows:
- Management groups
- Subscriptions
- Resource groups
- Individual resources
Azure Policy components
Policy definition
These are used to define what we will be monitoring for compliance and we also define the actions that will take place based on that evaluation. Azure offers several inbuilt policy definitions that we can use. Some of them are listed below.
- Allowed Storage Account SKUs (Deny): Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
- Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.
- Allowed Locations (Deny): Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
- Allowed Virtual Machine SKUs (Deny): Specifies a set of virtual machine SKUs that you can deploy.
- Add a tag to resources (Modify): Applies a required tag and its default value if it's not specified by the deploy request.
- Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
To implement these policy definitions (both built-in and custom definitions), you'll need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.
Policy assignment
Once we define our policy, we need to assign it to a scope and that is where policy assignment comes into the picture. We can assign policies to management groups, subscriptions, resource groups or even individual resources within the Azure cloud.
Initiative definition
An initiative definition is a collection of policies that are tailored towards achieving a single high-end goal together. They simplify by grouping a set of policies as one single item. For example, ensuring that VMs are deployed as per standards.
Azure Policy example
An example of an Azure policy could be a scenario where we require resources to be tagged.
- Policy definition: In this case, we can define that the virtual machines in our environment must have the tag “linux-cloud”. If this tag is missing then the creation of the virtual machine is denied.
- Policy assignment: We would assign this policy at the scope of the resource group under which the VMs would be created.
With this policy in effect, when we try to deploy a VM without the required tag in the resource group with the policy applied, then the creation of that virtual machine will be denied.
Azure Policy Example
Now that we’ve understood the need of Azure policies, gone through the use cases and its different components, now it’s time to perform some hands on and see Azure policies in action. For the purpose of this demonstration, we’ll be using a built in Azure policy definition.
Step 1: Open the Azure policy service pane
Log in to the Azure portal and within the search bar, type policy and select the first result.
This will bring us to the overview section of our Azure Policy service. If you don’t have any existing policies applied, the page should look similar to the one shown below.
This page shows us the overall compliance status of our resources and also if any resources are in a non-compliant state so that we may take corrective actions.
Step 2: Create Azure policy definition
Towards the left side of the page, we have a section named authoring and within this section, there is a tab called definitions. Click on this tab to create a policy definition or use an existing one.
Clicking on the definitions tab takes us to the policy definitions page where we can view all of the pre-existing policies and initiative definitions.
We can use filters on this page to view only custom or only built-in policies under the type. We can filter polices based on different categories which are basically different Azure services. Also, we can search for a policy by typing the policy name in the search bar. We are going to search for location based policies so we’ll type in the keyword location in the search bar.
The policy that we are going to use is “allowed locations”. We will click on this policy so that we may examine it.
What we’ll see here is the JSON that defines the policy. Given below is the full JSON policy definition.
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
Description:
- The definition contains information related to the policy like the display name, description and many other things. This policy is going to allow us to restrict the locations where we may deploy resources in the Azure cloud. This allows us to enforce geographical compliance in the environment.
- The parameters section contains a parameter (of type array) named
listOfAllowedLocations
. - The
listOfAllowedLocations
parameter is being matched in the policy rule section such that any location that is not listed in this parameter will not be allowed. After this condition, we have an exemption section wherein if the field contains the location global or if the resource being created is an Azure Active Directory resource, then the policy is not enforced. - In the next section, we see the effect of non-compliance i.e., deny.
Step 3: Assign Azure Policy
Right above the policy definition JSON, we see an Assign button. Click on this button and we will now need to select the scope for this policy. We have selected our subscription and a resource group under that subscription.
We can also site exclusions from this policy if we wish to but we are not going to do this in this demonstration. From here click next. This brings us to the allowed locations parameters section where we need to select the locations, we would like to allow resources to be built in.
We will select Asia and Asia Pacific.
Now click review and create and then click on create on the next page.
This will now create the policy assignment which could take up to 30 minutes to take effect.
Step 4: Test the new azure policy
To test the policy, we’ll deliberately attempt to create a virtual machine that is not in one of the two allowed locations. So, we quickly navigate to the Virtual Machine service window in Azure, fill in the subscription, resource group, name and image.
In the region we’ve specified “West US” which is NOT Asia or Asia Pacific.
With these parameters entered, click on review and create. On the next page, we’ll encounter the following error.
Click on the arrow to view the error details.
The above error message clearly states that the VM deployment failed because we were trying to create a VM in a location is not one of the allowed locations thus verifying the successful enforcement of our Azure Policy.
Summary
In this article, we discussed the need and benefits of using Azure policy and we also practically demonstrated the enforcement of an Azure policy. We encourage you try out other pre-built Azure polices and examine the different levels and types of restrictions that could be enforced.
References
We’ve referred to the official Azure documentation along with the "Control and organize Azure resources with Azure Resource Manager" and "Build a cloud governance strategy on Azure" modules part of the managing resources in Azure learning path.
Azure Policy Overview
Control and organize Azure resources with Azure Resource Manager
Build a cloud governance strategy on Azure