Hi, I’m Makoto, a freelance engineer.
In this article, I’ll explain Azure Policy. As the word “policy” suggests, it’s an important service for properly operating Azure resources by defining rules.
I’ll introduce the actual configuration screen in a hands-on format. I think it’s easier to visualize when you learn while looking at the screen, so please read to the end.
Let’s get started!
What is Azure Policy?
Azure Policy is a mechanism for keeping Azure resources in compliance with your organization’s rules. It has the following two roles:
- Enforce the creation of resources according to the rules
- Notify when there are resources that violate rules
For example, you can “allow resource creation only in Japanese regions” or “limit virtual machine creation to certain sizes”.
By applying Azure policies, you can maintain a state where the system is operating in the way your organization wants it to.
How Azure Policy Works
Azure Policy introduces three main terms:
- Policy definition
- Initiative definition
- Assignments
Each rule is called a policy definition, and a collection of multiple policy definitions is called an initiative definition.
The difference between policy definitions and initiative definitions is a point often asked on the AZ-900 exam. Think of it as single vs. set.
Policy definitions and initiative definitions can be assigned to scopes such as Management Groups, Subscriptions, and Resource Groups.
Policies assigned to parent scopes are inherited by child scopes.
For a detailed explanation of the Azure resource hierarchy, see this article.
Here’s a diagram illustrating how Azure Policy works:
Key Points:
Policy definition
Each rule
Initiative definition
Collection of policy definitions
The parent scope’s policy is inherited by the child scope.
Azure Portal Configuration
In the Azure Portal, it appears as a “Policy” service. When you open Definitions in Policy, you see a list of built-in definitions that are pre-populated.
Here, we’ll select the “Allowed locations” policy definition to restrict resource regions.
When you open a policy definition, you’ll see that it’s actually a rule written in JSON format. Azure Policy Samples are published on GitHub, which can be helpful when creating your own custom definitions.
Press “Assign policy” to continue.
In the Basics tab, select the Scope. Here we’ll select the subscription and continue.
Next is the Parameters tab. Select Japan East and Japan West as the allowed regions. The other tabs are not mandatory, so we’ll create it with these settings.
You can review assigned definitions in the Assignments menu.
When I tried to create a virtual machine in a region other than Japan, I received a policy violation message. This indicates that the Azure policy is working correctly.
Reference:
By the way, if you limit virtual machine sizes, sizes that are not allowed will be grayed out and unselectable.
You can check compliance with Azure policy rules from the Overview or Compliance menus.
If we open the “Allowed locations” policy definition that we just assigned, we can see that resources located in regions outside of Japan are displayed as “Non-compliant”.
Things to Know About Azure Policy
Here are some questions that may be asked on the AZ-900 exam.
If you apply Azure policies when there are existing resources that are prohibited from being created in the future, those existing resources will not be automatically deleted or modified.
As shown in the previous screen, it only displays whether there are any violations.
However, some policy definitions support the ability to “remediate” non-compliant resources. However, it’s unlikely that this level of detail will be required.
That means it’s best to set up Azure policies at the beginning, when you first start using Azure, after you’ve confirmed your organization’s rules.
Summary
In this article, we introduced Azure Policy along with actual configuration screens.
Azure Policy has a mechanism to enforce the creation of resources according to rules, and to warn about resources that violate rules as non-compliant resources.
Make sure you understand the mechanism well, as it is a representative service for achieving proper governance for your organization.
