One of the questions that comes our way often as our clients start to move toward the cloud is, how am I going to manage these cloud resources from a policy perspective? The answer is, strangely enough… Azure Policy.
What Is Azure Policy?
Azure Policy is active control and governance at scale for your Azure Resources. Azure Policy enables the following:
• Govern your Azure resources with simplicity
• Apply management and security at scale
• Enforce policies and audit compliance
• Monitor compliance continuously
• Build custom policies with flexibility
• Apply built-in policies from MSFT and the community
Let’s take a look at what Azure Policy looks like in a real-world scenario.
Finding The Policy Blade
From the Azure Portal let’s search for Azure Policy by clicking the All Services in the top left corner…
… and searching for Policy.
Now that we are in the Policy blade, let’s see what our options are:
Overview – this is your monitoring pane for after you have applied policy and shows non-compliant policies
Getting Started – this is a great resource page that gives information about how to start to use Azure Policy
Compliance – this is where you will monitor individual policies
Assignments – here is where you will assign an individual or group of policies
Definitions – here is where you will author a policy
Now let’s work through a scenario where we want to apply a Microsoft provided policy to our subscription. Let’s assume that for a specific Azure subscription that we only want resources to be deployed in the following regions EAST US or WEST US. How do we go about applying a policy that would enforce this criteria?
From the Authoring – Assignments blade lets select Assign Policy.
Then the Assign Policy blade will be displayed.
The first thing we need to do is click the ellipses in the Policy and select the provided “Allowed Locations” policy at the very bottom of the list.
Next, we select the pricing tier and we can leave that standard.
Then, we select the Scope of where we would like to apply the policy.
Lastly, we select the East US and West US regions from the drop down under the parameters section.
Finally, we click Save.
Now that we have the policy applied you will see the following screen in the Assignments blade:
Now let’s test the policy by attempting to deploy something outside those two regions and see what happens.
Let’s try to create a storage account in the Central US region for instance.
When we click create we get the following error immediately. This shows that a policy violation has occurred.
This is a simple demonstration of Azure policy and how it can be used to assure that resources are provisioned in desired regions and denied provisioning based on policy. This is just the tip of the iceberg and so many more things can be controlled with Azure policy.