What are Azure policies and how do I use them?
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.
- Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.
- Select Assignments on the left side of the Azure Policy page. An assignment is a policy that has been assigned to take place within a specific scope.
- Select Assign Policy from the top of the Policy - Assignments page.
- On the Assign Policy page, select the Scope by clicking the ellipsis and selecting the resource group that we created earlier. You could also select either a management group or subscription. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then click Select at the bottom of the Scope page. This example uses the UIC-ACCC-Central subscription. Your subscription will differ.
- Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope. Exclusions are optional, so leave it blank for now.
- Select the Policy definition ellipsis to open the list of available definitions. Azure Policy comes with built-in policy definitions you can use. Many are available, such as:
- Enforce tag and its value
- Apply tag and its value
- Require SQL Server version 12.0
- Search through the policy definitions list to find the allowed location definition. Click on that policy and click Select.
- The Assignment name is automatically populated with the policy name you selected, but you can change it. You can also add an optional Description. The description provides details about this policy assignment. Assigned by will automatically fill based on who is logged in. This field is optional, so custom values can be entered.
- Leave Create a Managed Identity unchecked. This box must be checked when the policy or initiative includes a policy with the deployIfNotExists
- For the parameter field, select anything other than North Central US.
- Click Assign.
Identify non-compliant resources
- Select Compliance in the left side of the page.
- Locate the allowed location policy assignment you created.
- If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources. Notice that the VM we created in this guide was created in North Central US which, according to this policy, is not an allowed location and will eventually (after 30 minutes) show up as a non-compliant resource.