Learn why resource policies are important component to help you control Azure resources. You will learn how to define and then apply a resource policy to a Azure resource group.
- [Instructor] Resource policies in Azure allow you to manage and control all of your resources. For example, you could limit the size of a virtual machine, eliminating sticker shock, or, you could set up a policy to allow virtual machines to only be created in specific data centers. Policies are comprised of two components, the policy definition, which defines the policy, this includes when to enforce the policy, and when to take action, whether that is allow or deny. In order to create policy definitions, you must have the Microsoft.Authorization/policydefinitions/write permissions.
The second part of our policies, is the policy assignment, and as the name states, this allows us to assign the policy to the subscription, resource group, or at the resource level. To assign policies, you must have the rights under Microsoft.Authorization/policyassignments/write. Our policy definitions are created in a JSON file, and they're very similar the to templates we've already seen, earlier in this course. A policy definition includes parameters, which defines the values for the policy, a display name, so this'll be a friendly name, a description, obviously a description of that policy and the policy rule.
The policy rule will be a typical if/then statement, using a logical evaluation, which will include not, allOf, or anyOf. And then effect, is it a deny, audit, or append. For example, if a condition is met, then apply the effect. And we're going to see that, as we actually work through our demo, which we are going to pop to now. I'm already logged into Azure, and I do not have any policies applied, at this point in time. We actually create policies via PowerShell, and a JSON script.
Let's go ahead and take a look at our JSON script, you will find it in the exercise folders. You will find this policy in the exercise folders, chapter 2_3. And we're going to head and open up restrict VM policy, and take a look at it. As you can see, this is our if/ then rule, for if, if our virtual machines are not a standard A1, A2, a D1_V2, or a standard F1, then the virtual machine creation will be denied, that is our effect.
I have this file saved, I'm going to go ahead and close it. Now we're going to go ahead and run the PowerShell script that will define and apply the policy for us. I'm going to log in to ISE, to do so, I'm going to click the windows key, type ISE, and I'm going to run as administrator, therefore I must right click, and run as administrator. If you happen to receive a dialog box, asking "are you really sure you want to run as administrator?", go ahead and click yes.
The first thing I need to do is log into my account, to do so, I am going to use the command login Azure RM account. I can see I am not in the right subscription, therefore, I need to change my Azure subscription, to do so, I'm going to use the command select Azure RN subscription, and then provide my subscription ID. You may or may not have to do this. And then I'm going to go ahead and run this command. We can see that I am now in the right subscription, which happens to be called pay as you go. You will also notice that I'm stepping through each of these commands individually.
You could go ahead and run the entire script at once, I like to step through it, to show you exactly what each command will do. Now we can go ahead and actually define our policy. To do so, we're going to go ahead and use the command new Azure RM policy definition. We're going to provide a name, and a description. Now I have to provide the path of that policy.
I can now go ahead and create that policy definition. And as we can see, our policy has now been created. Now that it's been created, we can go ahead and apply it. I want to apply this policy, just to the resource group that we've been working in, called simple VM. The first thing I'm going to do, is create a variable, called policy. Next we're going to use get Azure RM policy definition, and specify the name.
This value will now be saved in our policy variable. And now, we can finally apply that policy. We use new Azure RM policy assignment, specifying the name of our policy. Next, we're going to specify our policy definition, which is contained in our variable policy. And finally, our scope. What do we want to apply this to? For ease of use, I'm just going to copy and paste.
We're going to apply to our subscription, we've provided our subscription ID. Next we're stating that this will be applied to resource groups, and then the name of our resource group, which happens to be simple VM. I can now go ahead and run this command. As you can see, I have an error here. What I think happened, was I didn't run the previous command. I've gone ahead, rerun that, and let's try this one more time. Perfect.
That is one of the drawbacks of stepping through a script. If you miss a line, it can affect you later, and then you have to backtrack and figure out which line did you miss. We can now see that our policy has been assigned. Let's go ahead and test this. I'm going to go back into Azure. I'm going to pop into our resource group, simple VM. I'm clicking on the resource group blade, and then simple VM. I'm going to go ahead and create a new virtual machine. I could of easily have done this in PowerShell as well.
We've created hundreds of virtual machines at this point, so we're going to go ahead, and click create. The name I'm going to provide here, will be for testing, to make sure that our policy is actually working. I'm going to select an HDD disk drive. And then provide our username and password. And we have our subscription, we're going to use the existing resource group, because we applied the policy to that resource group. And I'm going to leave my location. I'm clicking OK. Now, as you recall, an A1 was in our list, and I believe a D1_V2 was also in our list, or could it could have been a D2_V2.
But just to be on the safe side, let's pick something else. I'm going to scroll down. As much as I'd love to run a G3 machine, we're not going to do so. We do expect this to fail, but I'm still going to select a smaller machine. I'm going to select an A3, click select. I'm going to leave all the default settings. And then we have a summary. And at this point, you may be thinking, "Wait a minute, why has this policy not kicked in yet?" Don't panic, it will.
Go ahead and click OK. And now, we just have to be patient. Perfect, you can see that our deployment has failed. Let's look at that error in a little bit more detail. I'm going to go ahead and click here for details. But we can see the error detail here, that the resource action is disallowed by one or more policies. So our policy was applied, and it is working exactly the way it should be.
A quick recap, policies have two components, the definition, and then the assignment. You'll define your policy, using a JSON file, and they you'll apply it. Again, you'll use PowerShell to apply these policies.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles