Azure Policy

With Azure Policy, you can create policies that enforce rules over your Azure resources. This way, resources stay compliant with service-level agreements and corporate standards. With Azure Policy, you can evaluate all the different Azure resources for non-compliance. For example, you can create a policy to allow only a certain size of VM in your Azure environment. When the policy is created, Azure will check all the new and existing VMs to see whether they apply to this policy. 

Azure Policy is different than RBAC because Azure Policy focuses on resource properties for existing resources and during deployment. RBAC focuses on user actions at different scopes. A user can be added to the owner role in a resource group, for instance, which will give the user full rights to that resource group.

Azure offers built-in policies and custom policies. Some examples of these built-in policies are as follows:

• Allowed VM SKUs: This policy specifies a set of VM sizes and types that can be deployed in Azure.
• Allowed locations: This policy restricts the available locations where resources can be deployed.
• Not allowed resource types: This policy prevents certain resource types from being deployed.
• Allowed resource types: This policy defines a list of resource types that you can deploy. Resource types that are not on the list can't be deployed inside the Azure environment.
• Allowed storage account SKUs: This policy specifies a set of storage account SKUs that can be deployed.

If the built-in policies don't match with your requirements, you can create a custom policy instead. Custom policies are created in JSON and look like the following example. The first part of the code sets the different properties: 

{
    "properties": {
        "displayName": "Deny storage accounts not using only HTTPS",
        "description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.",
        "mode": "all",
        "parameters": {
            "effectType": {
                "type": "string",
                "defaultValue": "Deny",
                "allowedValues": [
                    "Deny",
                    "Disabled"
                ],
                "metadata": {
                    "displayName": "Effect",
                    "description": "Enable or disable the execution of the policy"
                }
            }
        },
 

In this part of the code, we are looking at the policy rule:

       "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Storage/storageAccounts"
                    },
                    {
                        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                        "notEquals": "true"
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effectType')]"
            }
        }
    }
}

Policies are assigned at the management group level, the subscription level, or the resource group level.