Use policies to enforce standards

You're organizing your resources better in resource groups, and you have applied tags to your resources to use them in billing reports and in your monitoring solution. Resource grouping and tagging have made a difference within the existing resources, but how does one make sure that new resources follow the rules? You'll take a glance at how policies can assist you to enforce standards in your Azure environment.

What is Azure Policy?

Azure Policy may be a service you'll use to make, assign, and manage policies. These policies apply and enforce rules that your resources got to follow. These policies can enforce these rules when resources are created and may be evaluated against existing resources to offer visibility into compliance.

Policies can enforce things like only allowing specific sorts of resources to be created, or only allowing resources in specific Azure regions. you'll enforce naming conventions across your Azure environment. you'll also enforce that specific tags are applied to resources. You'll take a glance at how policies work.

Create a policy

You'd like to make sure that each one resource has the Department tag related to them and block creation if it doesn't exist. you will need to make a replacement policy definition then assign it to a scope; during this case, the scope is going to be our msftlearn-core-infrastructure-rg resource group. Policies are often created and assigned through the Azure portal, Azure PowerShell, or Azure CLI. This exercise takes you thru creating policy within the portal.

Create the policy definition

1. Navigate to the Azure portal during a browser if you haven't already. within the search box up the highest navigation bar, look for Policy, and choose the Policy service.
2. Select the Definitions pane from the Authoring section within the left menu.
3. you ought to see an inventory of built-in policies that you simply can use. during this case, you are going to make our own custom policy. Click + Policy definition within the top menu.
4. This button brings up the New policy definition dialog. to the line, the Definition location, click the blue... Select the subscription for the policy to be stored, which should be an equivalent subscription as our resource group. Click Select.
5. Back on the New policy definition dialog, for Name give your policy a reputation to Enforce append resource.
6. For the outline, enter This policy enforces the existence of an appends a resource.
7. For Category select Use existing then select the overall category.
8. For the Policy rule, delete all text within the box and paste within the following JSON.

JSON

{

  "mode": "Indexed",

  "policyRule": {

    "if": {

      "field": "[concat('tags[', parameters('tagName'), ']')]",

      "exists": "false"

    },

    "then": {

      "effect": "deny"

    }

  },

  "parameters": {

    "tagName": {

      "type": "String",

      "metadata": {

        "displayName": "Tag Name",

        "description": "Name of the tag, such as 'environment'"

      }

    }

  }

}

Your policy definition should appear as if below. Click Save to save lots of your policy definition.

Create a policy assignment

You've created the policy, but you haven't actually put it into effect yet. To enable the policy, you would like to make an assignment. during this case, you'll assign it to the scope of your msftlearn-core-infrastructure-rg resource group, in order that it applies to anything inside the resource group.

1. within the policy pane, select Assignments from the Authoring section on the left.
2. Select the Assign policy at the highest.
3. within the Assign policy pane, you'll assign your policy to your resource group. For Scope, click the blue... Select your subscription and therefore the MSF learn-core-infrastructure-rg resource group, then click Select.
4. For Policy definition, click the blue .... within the Type drop-down, select Custom, select the Enforce to append resource policy you created, then click Select.
5. Select Next to travel to the Parameters pane.
6. On the Parameters pane, for Tag name enter Department.
7. Select Review + create then select Create to make the assignment.

Test out the policy

Now that you simply have assigned the policy to your resource group, any attempts to make a resource without the Department tag should fail. do this out.

1. On the Azure portal menu or from the house page, select Create a resource.
2. look for Storage Account and choose Storage account - blob, file, table, queue within the results. Select Create.
3. Select your subscription, and therefore the msftlearn-core-infrastructure-rg resource group.
4. For Storage account name, provides it any name of your choice, but note that it does need to be a globally unique name.
5. Leave the remainder of the choices at their default, click Review + create.

Validation of your resource creation will fail because you do not have a Department tag applied to the resource. If the policy has not caused a validation failure, you'll get to wait a couple of more minutes for it to be enabled.

Fix the violation so you'll successfully deploy the storage account.

6. Select Tags at the highest of the Create storage account pane.
7. Add a Department: Finance tag to the list.

8. Now click Review + create. Validation should now pass, and if you click Create your storage account is going to be created.

Use policies to enforce standards

You've seen how you'll use policies to make sure that your resources have the tags that organize your resources. There are other ways policies are often won't to our benefit.

You could use policy to limit which Azure regions you'll deploy resources to. For organizations that are heavily regulated or have legal or regulatory restrictions on where data can reside, policies help to make sure that resources aren't provisioned in geographic areas that might go against these requirements.

You could use policy to limit which sorts of virtual machine sizes are often deployed. you'll want to permit large VM sizes in your production subscriptions, but maybe you want to make sure that you simply keep costs minimized in your dev subscriptions. By denying the massive VM sizes through policy in your dev subscriptions, you'll ensure they do not get deployed in these environments.

You could also use policy to enforce naming conventions. If your organization has standardized on specific naming conventions, using policy to enforce the conventions helps us to stay a uniform naming standard across your Azure resources.