In March 2017, I published an article Restricting Azure Resource Deployment by Region which provided some insight into Azure Resource Policies. In that post, I provided a link to my GitHub repository azure-resource-policy-templates. Today, I am pleased to announce that I have updated this repository with more templates for you to use. The repository has been updated with the following new templates:
- Force Mandatory Azure Resource Manager Tags to Resources
- Force Mandatory Storage Service Encryption (SSE) on Storage Accounts
- Force Azure Virtual Machine Naming Convention
- Restrict Azure Virtual Machine Sizes Available
- Restrict Storage Account Types Available
Unlike the previous templates I provided which were designed to be applied individually to restrict the region in which resources could be deployed, these templates can be layered up to provide a complete resource management strategy. In this post, I will show how you can additively apply the Restrict Storage Account Types and the Force Mandatory SSE policies to Storage Accounts; and how you can apply the Restrict Azure Virtual Machine Sizes and Force Azure Machine Machine Naming Convention policies to VMs.
I won’t rehash how to import the policies in this post as that was covered in my previous article. I will jump straight into showing you how they work in the real-world.
Restricting Storage Types and Forcing Storage Encryption
Before I begin to show the policies in action, I want to highlight something new in the Azure Resource Manager portal since my last article. There is now a blade in the portal for Policies which shows you policies assigned to the Subscription, Resource Group or Resource based on inheritance. Remember that assigning a policy to the Subscription flows into all Resource Groups within it. Assigning a policy to a Resource Group will only affect resources in that group.
As you can see in the example, I have a Resource Group with two policies applied to it. You can use this to verify your policy applications.
As shown above, my Resource Group is configured to only allow Storage Account creation when the required type is met (LRS and ZRS in my example template) and when encryption is enabled. When I try to create a GRS Storage Account, regardless of whether encryption is enabled or not, I get a validation failed error, preventing the resource creation.
In and amongst the error blurb, you can see that it failed against policies on the Resource Group and therefore, creation was blocked. Next, I created some Storage Accounts which were LRS and ZRS and also had encryption enabled. Creation of these resources succeeded as the parameters passed the validation on the Resource Policies.
An important note here is that the policy is evaluated at resource creation. If you assign a policy for Storage Service Encryption (SSE) to a Storage Account after Storage Accounts are created in the Resource Group, nothing will happen. The previously created accounts will continue to function. If you are working in an existing environment, your best option is to use Azure Security Center to report on Storage Accounts missing encryption.
Restricting VM Name and Size
In this example, I have assigned both of my virtual machine policies to a Resource Group. the naming convention policy allows us to use pattern matching. This gives us the flexibility to specify wildcards, numerical entries and more. In my example policy, I have specified that my VMs must be named RJGVM-### which determines that the final three characters must be letters. If your convention requires the server function to be included in the name, you could use something like RJGVM-???-###. This syntax would allow for three text characters for the function, followed by three numbers. In the example, I am restricting the available VM sizes to Av2-series and Dv3-series and DSv3-series VMs.
With the scene set, I proceeded to create a new VM. I purposely selected a VM size which was unavailable and specified a name which was outside the convention.
Upon reaching the final validation step for the VM deployment, I was presented with an error. Much like the error in the Storage Account section, the blurb roughly reads that the deployment failed due to a policy violation. Going back through the steps and altering the parameters to comply with the policy resulted in a successful validation and the option to go ahead with the VM deployment.
I hope that you have found this post useful and that you go on over to my GitHub repository, download the .json template files and start working with Resource Policies. These are very powerful additions to your Microsoft Azure arsenal, allowing you to restrict and govern your subscriptions to prevent misuse as you would with your on-premises environment. Enjoy!