メイン コンテンツにスキップ
Azure
サインイン

 Subscribe

Posted on
2 min read

Share Announcing Azure Resource Policy general availability on Facebook Share Announcing Azure Resource Policy general availability on X Share Announcing Azure Resource Policy general availability on LinkedIn

As organizations of all sizes adopt the cloud, they must control resource configuration to meet corporate policies and satisfy governance requirements.

Today, we are pleased to announce the general availability of Resource Policies, powered by Azure Resource Manager.

Resource Policies allow you to define policy documents which govern acceptable resource configurations across Azure services and geographies. Based on your feedback, we added several new capabilities to enhance the power of Resource Policies.

Control resource SKUs

Since AzureCon, Azure Resource Policies have supported many facets, including tags, resource names, service types, and locations. We have also heard enterprise IT wants to restrict virtual machine images and SKUs to ensure security and control costs.

In the following example, we will restrict virtual machine SKUs to Standard_A0 or Standard_A1.

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "not": {
          "field": "Microsoft.Compute/virtualMachines/sku.name",
          "in": [ "Standard_A0", "Standard_A1" ]
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

You can control SKUs for many resource types; more information can be found here.

Control VM images

Similar to SKUs, you can also implement policies to control VM image usage. Images for Azure VMs are defined by Publisher, Offer, SKU and Version.

The example below shows how to control acceptable VM publishers, so users can only provision VMs using canonical images:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "not": {
          "field": "Microsoft.Compute/virtualMachines/imagePublisher",
          "equals" : "Canonical"
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Enforce default tags or properties

You can also ensure certain tags or properties are added to Azure Resources during the provisioning process. For example, if a “costCenter” tag isn’t specified, this policy will append a tag with a predefined value. 


 

 

{
  "if": {
    "field": "tags",
    "exists": "false"
  },
  "then": {
    "effect": "append",
    "details": [
      {
        "field": "tags",
        "value": { "costCenter": "myDepartment" }
      }
    ]
  }
}

Alert on policy evaluation events

 

You can also define alert rules triggered by policy violations. Alerts can trigger email notifications or call a webhook. The PowerShell below defines an alert rule which is triggered when a policy denies user actions.

$action = New-AzureRmAlertRuleWebhook -ServiceUri "your web hook url"
Add-AzureRmLogAlertRule -Name  -Location  -ResourceGroup  -OperationName Microsoft.Authorization/policies/deny/action -TargetResourceGroup  -Actions $action

To learn more about alert rules for policy violations, check out Ryan’s session from //Build.

Please send us your feedback! If you’re unfamiliar with Resource Policy, please refer to our Azure documentation and this video to get started.

  • Explore

     

    Let us know what you think of Azure and what you would like to see in the future.

     

    Provide feedback

  • Build your cloud computing and Azure skills with free courses by Microsoft Learn.

     

    Explore Azure learning

Related posts

Join the conversation