Defining Resource Policies in Azure Resource Manager

One of the cool things with Azure Resource Manager is that we can define central policies which can either be deployed to resource groups or entire subscriptions which can be used to for instance define policies that

* We can only deploy to North and West Europe
* We can only deploy Windows Server 2012 Datacenter VM
* We can only deploy encrypted virtual machines
* We can only use storage accounts with LRS or GRS.

As of now the resource policies can affect the following resource type

  • Microsoft.CDN/profiles/sku.name
  • Microsoft.Compute/virtualMachines/imageOffer
  • Microsoft.Compute/virtualMachines/imagePublisher
  • Microsoft.Compute/virtualMachines/sku.name
  • Microsoft.Compute/virtualMachines/imageSku
  • Microsoft.Compute/virtualMachines/imageVersion
  • Microsoft.SQL/servers/databases/edition
  • Microsoft.SQL/servers/databases/elasticPoolName
  • Microsoft.SQL/servers/databases/requestedServiceObjectiveId
  • Microsoft.SQL/servers/databases/requestedServiceObjectiveName
  • Microsoft.SQL/servers/elasticPools/dtu
  • Microsoft.SQL/servers/elasticPools/edition
  • Microsoft.SQL/servers/version
  • Microsoft.Storage/storageAccounts/accessTier
  • Microsoft.Storage/storageAccounts/enableBlobEncryption
  • Microsoft.Storage/storageAccounts/sku.name
  • Microsoft.Web/serverFarms/sku.name

So for instance if we want to deploy a policy definication which we use to define which images are allowed to be deployed to a specific resource group we can use this.

$policy = New-AzureRmPolicyDefinition -Name regionPolicyDefinition -Description “Policy to allow certain images in region group” -Policy ‘{   

“if”: {
  “allOf”: [
    {
      “field”: “type”,
      “equals”: “Microsoft.Compute/virtualMachines”
    },
    {
      “not”: {
        “allOf”: [
          {
            “field”: “Microsoft.Compute/virtualMachines/imagePublisher”,
            “equals”: “MicrosoftWindowsServer”
          },
          {
            “field”: “Microsoft.Compute/virtualMachines/imageOffer”,
            “equals”: “WindowsServer”
          },
          {
            “field”: “Microsoft.Compute/virtualMachines/imageSku”,
            “equals”: “2012-R2-Datacenter”
          }
        ]
      }
    }
  ]
},
“then”: {
  “effect”: “deny”
}

  }'

  $resourcegroup = Get-AzureRmResourceGroup -Name EVRYPOC
  $policy = Get-AzureRmPolicyDefinition -Name regionPolicyDefinition
  New-AzureRmPolicyAssignment -Name “VirtualPolicyAssigment” -PolicyDefinition $policy -Scope $resourcegroup.resourceid

With the new portal UI enhancement we can actually see the policy as well. which can be seen if you access your azure subscription here –> https://preview.portal.azure.com

image

So what happens if we try to deploy a image not listed in the policy to that specific resource group? You can now see that you can a “Forbidden” deployment error in the portal page

image

Of course you can use this template to restrict the deployment to disallow deployment of SQL virtual machines or older specific skus from the marketplace.  We can also combine this with  resource groups locks as well to disallow updates to the resource group.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockSite  -ResourceGroupName EVRYPOC

image

If you are looking towards defining more role based access control within Azure Resource Manager I highly recommend reading the best-pratices guide from Microsoft here –> https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance

Leave a Reply

Scroll to Top