Azure Resource Policies has been around for a while but it was a bit under the radar since it didn’t have portal support and it is aimed at larger environments where more control is required. Azure Resource Policies enable you to define rules that resources must comply to when you create or update them. For instance you can specify a naming convention, restrict locations where resources can be created or restrict which type of resources users can create. It differs from RBAC in that RBAC controlled what users could do based on permissions, you could prevent a user from creating VMs or Storage Accounts while Azure Resource Policies define finer grained rules based on conditional logic, for example allowing or blocking a specific VM series or type of storage account. Azure Resource Policies recently became available in the preview portal.
Tip: If you didn’t know it already you can see some of the upcoming features currently in preview by using the Azure Preview Portal link.
Azure Resource Policy Structure
Azure Resource Policies are authored using JSON and basically contain parameters and rules, there is some extra descriptive stuff but you can read the comprehensive documentation here. Parameters make your policies re-usable as opposed to hard coding values. The policy rules are if..then code blocks than can use a range of logical operators and can be nested.
{
"if": {
<condition> | <logical operator>
},
"then": {
"effect": "deny | audit | append"
}
}In the documentation referenced earlier you will see a list of fields and resource properties you can access to build your rules for example the location of a resource or the SKU of a VM. The JSON document containing the parameters, rules etc is called a Policy Definition.
Deploying A Resource Policy
After you create the JSON Policy Definition you have to deploy it to your subscription, the detailed deployment documentation can be found here. Short version, you can use the Azure Rest API, PowerShell or Azure CLI but sadly not the portal at this point in time. Policy definitions are stored at subscription level but are not active until you assign them to a resource group or subscription scope. Make sure to update Azure PowerShell or the policy samples from the documentation won’t work. There are some predefined policies in Azure as well, if you run the Get-AzureRmPolicyDefinition PowerShell command you will see them.
Assigning A Resource Policy
After the Policy Definition is deployed you can assign it to a resource group or subscription using the Azure Rest API, PowerShell, Azure CLI or preview portal. You will find the Policies menu item under your subscription.
From here you can assign policies to a resource group or subscription and provide parameters for the policy. You will also see the predefined policies in the drop down list.
