Introduction to Azure Policy

Azure Policy is the set of rules we can enforce over azure resources .

It is a free Azure service that you can assign to resources, and receive alerts or take action in cases of non-compliance with these policies.

An Organisation need to make sure all their Azure resources are deployed under west us region.

Restrict disk size between 4 - 64 GB to prevent cost

Restrict developer to create Virtual Machine with sku’s B1s , B1ls

It can prevent the creation of disallowed resources, ensure new resources have specific settings applied .

Azure policy is basically 3 components; policy definition , assignment and parameters.

Azure Policy Defination

Policy defination is set of logical expression (What to evaluate and what action needs to be taken)

{
         "if": {
            "allOf": [
               {
                  "field": "type",
                  "equals": "Microsoft.Compute/virtualMachines"
               },
               {
                  "not": {
                     "field": "Microsoft.Compute/virtualMachines/sku.name",
                     "in": "[parameters('listOfAllowedSKUs')]"
                  }
               }
            ]
         },
         "then": {
            "effect": "Deny"
         }
      }
logical operators supported
     * not
     * allOf
     * anyOf
Condition type supported
     * equals
     * notEquals
     * like
     * notLike
     * match
     * notMatch
     * contains
     * notContains
     * in
     * notIn
     * containsKey
     * notContainsKey
     * exists
Effects type supported
     * Deny
     * Audit
     * Append 
     * AuditIfNotExists 
     * DeployIfNotExists 

How to create custom Azure Policy

In This Example , We will create a policy to allow the use of Disk size with 4 GB , 8 GB only

Home > Policy > Policy Defination
{
  "mode": "All",
  "policyRule": {
     "if": {
         "not" :{
              "field": "Microsoft.Compute/disks/diskSizeGB",
              "in": "[parameters('listOfAlloweddiskSize')]"
               }
    },
    "then": {
      "effect": "deny"
    } 
  },
  "parameters": {
    "listOfAlloweddiskSize": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed disk size for resources.",
        "displayName": "Allowed disk size"
      }
    }
  }
}

How to assign on azure resource group or Azure Subscription

Home > Policy > Assign Policy

Assign parameter

How to test

Create disk of size 1024 GB . It will raise error while deploying

How it is different from RBAC

Role-based Access Control is about limiting which users can do what.
Azure Policy is about limiting what actions can and cannot be taken.
It doesn’t really care about what kind of user you are, if the Policy says you can’t open a certain port to the world, then you can’t.