More resource policy aliases

Posted on 24 July, 2017

Senior Program Manager, Azure Resource Manager

Aliases in resource policies enable you to restrict what values or conditions are permitted for a property on a resource. If you are already familiar with policy aliases, you know they are a crucial part of managing your Azure environment.

We want to keep adding new policy aliases, so you can more easily govern what gets deployed in your environment. In this blog, I would like to share most recent aliases we have enabled.

First, let’s review how aliases are integrated into user requests. Each policy alias maps to paths in different API versions for a given resource type. During policy evaluation, when the policy engine retrieves the value of a particular field, it looks at the API version of the request and gets the path for that version. The diagram below shows how policy alias works during policy evaluation time.

howaliasworks

Custom Image for virtual machines

For security reasons, lots of customers want to make sure only custom images from the central IT team are deployed in their environment. The IT team approves a set of managed images, and puts them in a resource group. To ensure VMs are created from these images, you implement a resource policy. For implementation, you can either specify the resource group which contains the images or explicitly specify the images.

We added the Microsoft.Compute/imageId alias to enable this scenario. You can use it for virtual machines or virtual machine scale sets by modifying the type condition.

The examples below show what the policies look like.

Example1: (use images from certain resource group)

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
            },
            {
                "not": {
                    "field": "Microsoft.Compute/imageId",
                    "contains": "resourceGroups/testImage"
                }
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
} 

Example2: (use specific images) 

 {

                    "field": "Microsoft.Compute/imageId",

                    "in": ["<imageId1>","<imageId2>"]

                }

   

Microsoft.Compute/imageId is the new alias we enabled. You can also use it for virtual machines scale set by modifying the type condition.

Platform Images

We introduced a set of aliases that can be used across resource types. These cross resource type aliases enable you to restrict platform images for virtual machines, virtual machine scale sets, and managed disks. For example, the alias Microsoft.Compute/imagePublisher doesn’t have a resource type name, and can work across different resource types. The linked example shows how to use these aliases.

Use Managed Disk

With the release of managed disk, lots of customers want to require that only managed disks are deployed for VMs. With resource policy, you can now restrict your VM and scale set to use only managed disks. The policy requires that fields related to managed disks are present in user request. Those fields are shown in the linked example. By looking for these fields, you can determine whether managed disks are used with the VM or scale set.

VM Extension Types

Organizations may want to forbid usage of certain type of extensions. For example, a VM extension may not be compatible with certain custom VM images. Or, for security reasons, you don’t want users to reset password for a VM. The example below shows how to block a specific VM extension. It uses publisher and type to determine which extension to block.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines/extensions"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Compute"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "VMAccessAgent"

      }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

Azure Hybrid Use Benefit

When you have proper on-premise license, you can save the license fee on your virtual machines. When you don’t have the license, you should forbid the option. The following policy forbids usage of Azure Hybrid Use Benefit (AHUB).

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "in":[ "Microsoft.Compute/virtualMachines","Microsoft.Compute/VirtualMachineScaleSets"]
            },
            {
                "field": "Microsoft.Compute/licenseType",
                "exists": true
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

Summary

To do a quick recap, this blog explains how policy alias works and what you can govern through resource policies. Try them and let us know what new things you want to govern!