Open in app

Sign in

Write

Sign in

Introduction to Azure Policy

Mohit Gupta
AzureDiary
Published in
3 min readSep 21, 2020

Azure Policy is the set of rules we can enforce over azure resources .

It is a free Azure service that you can assign to resources, and receive alerts or take action in cases of non-compliance with these policies.

An Organisation need to make sure all their Azure resources are deployed under west us region.

Restrict disk size between 4–64 GB to prevent cost

Restrict developer to create Virtual Machine with sku’s B1s , B1ls

It can prevent the creation of disallowed resources, ensure new resources have specific settings applied .

Azure policy is basically 3 components; policy definition , assignment and parameters.

Azure Policy Defination

Policy defination is set of logical expression (What to evaluate and what action needs to be taken)

{
   "if":{
      "allOf":[
         {
            "field":"type",
            "equals":"Microsoft.Compute/virtualMachines"
         },
         {
            "not":{
               "field":"Microsoft.Compute/virtualMachines/sku.name",
               "in":"[parameters('listOfAllowedSKUs')]"
            }
         }
      ]
   },
   "then":{
      "effect":"Deny"
   }
}

logical operators supported

* not 
* allOf 
* anyOf

Condition type supported

* equals 
* notEquals 
* like 
* notLike 
* match 
* notMatch 
* contains 
* notContains 
* in 
* notIn 
* containsKey 
* notContainsKey 
* exists

Effects type supported

* Deny 
* Audit 
* Append 
* AuditIfNotExists 
* DeployIfNotExists

How to create custom Azure Policy

In This Example , We will create a policy to allow the use of Disk size with 4 GB , 8 GB only

Home > Policy > Policy Defination{
   "mode":"All",
   "policyRule":{
      "if":{
         "not":{
            "field":"Microsoft.Compute/disks/diskSizeGB",
            "in":"[parameters('listOfAlloweddiskSize')]"
         }
      },
      "then":{
         "effect":"deny"
      }
   },
   "parameters":{
      "listOfAlloweddiskSize":{
         "type":"Array",
         "metadata":{
            "description":"The list of allowed disk size for resources.",
            "displayName":"Allowed disk size"
         }
      }
   }
}

How to assign on azure resource group or Azure Subscription

Home > Policy > Assign Policy

Assign parameter

How to test

Create disk of size 1024 GB . It will raise error while deploying

How it is different from RBAC

Role-based Access Control is about limiting which users can do what.
Azure Policy is about limiting what actions can and cannot be taken.
It doesn't really care about what kind of user you are, if the Policy says you can't open a certain port to the world, then you can't.

Originally published at https://aum-kaara.github.io.

Azure Policies
Azure

--

--

Mohit Gupta
AzureDiary

Written by Mohit Gupta

63 Followers
Editor for

Integration Developer works on Azure , DevOps , BizTalk. Contact : mohit.e.gupta@gmail.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams