Preview of Resource Policy in the Azure Portal
Microsoft has launched a preview of managing Azure Resource Policy using a graphical interface. This post will explain what this preview offers.
Azure Resource Policy
Resource Policy is a very nice feature in Azure Resource Manager (ARM) that allows you to control what delegated administrators can do in an Azure subscription or resource group. For example, you can limit what series and sizes of virtual machines can be deployed. I use the JSON policy to control what can be deployed in a set of subscriptions that my employer uses for training purposes. Previously, one attendee went nuts with virtual machines, running SQL Server, and ran up a nice bill in a few days.
Azure Resource Policy is written in a form of JSON, which you can see in the previously mentioned example. As much as I evangelize the benefits of JSON, I suspect that the adoption rate will mimic that of PowerShell. This is very high in blog readers and conference attendees but quite low in the much larger world of IT pros.
A Graphical Interface
A preview of Azure Resource Policy administration in the Azure Portal was launched on May 9th. This preview is running in the preview release of the Azure Portal, which was once called the Preview Portal. It provides an easy way to create and assign some simple resource policies. However, you can still edit JSON policies using a tool such as VS Code. Simply upload the policy using PowerShell and then use the portal administration experience to assign the policies to the subscription or resource groups.
You must use the preview portal, which is available on https://preview.portal.azure.com. Browse to Subscriptions and then to Policies. This is where all of your policy administration will appear in the portal. You can also see all the policies that were created and uploaded using PowerShell.
Creating a Policy
Click +Add Assignment to start making a policy. The blade Add Assignment will appear. Enter the following information:
- Policy Definition: Choose a type of policy from a set of Microsoft-provided templates. More on this later.
- Allowed/Not Allowed X: If you select Allowed/Not Allowed for your policy, then you will select the items/locations that need to be permitted or restricted.
- Assignment Name: Give the policy a user-friendly name.
- Assignment ID: Give a unique identifier to the policy.
- Description: Document what the policy does.
- Scope: Select the Azure subscription or resource group that the policy will be assigned to.
In the below example, I have restricted resource creation to East US and West US.
Let’s get back to those policy definitions. There is a range available to select in the preview. Note that your manually created policies, uploaded using Azure, are available to select from, too:
- Allowed Locations: This restricts the regions that can be deployed into.
- Allowed Resource Types: This permits only a subset of Azure resource types.
- Allowed Storage Account SKUs: This controls the use of Standard/Premium storage and the replication types.
- Allowed Virtual Machine SKUs: You can permit pre-selected series/sizes of virtual machines.
- Not Allowed Resource Types: This prevents certain resource types from being deployed.
- Require SQL Server Version 12.0: This requires that SQL Server must be version 12.0 (SQL Server 2014).
- Require Storage Account Subscription: This requires storage encryption for storage accounts to be turned on.
It is possible to stack assignments. In the below example, one policy only allows A1_v1 virtual machines to be deployed. A second policy only allows East US and West US to be used. The combination of these policies means that the only virtual machines that can be deployed are the A1_v1 series and size. They also must be deployed in either East US or West US.
A policy that is assigned to a subscription is inherited by all resource groups. If I assign a policy to a subscription that only allows deployments in East US and West US, then this policy is assigned to all resource groups.
If a resource group within that resource group only allows A1_v1 virtual machines, then those virtual machines can only be deployed in East US and West US.
Managing Existing Policies
We can do the following in the portal:
- Edit Assignment: We can change the Allowed/Not Allowed option, the friendly name, and the description of the policy. We cannot change the definition (template/type), assignment ID, or the assigned scope.
- View the Assignment Rule: This option shows you the JSON that was used to deploy the policy. You can use this as a template that can be used in VS Code.
The administrative experience for resource policies is a bit light on features, but this is a cloud service preview. As always, the service will likely go live with the core functionality. Based on customer feedback and product plans, the service will evolve rapidly. Don’t judge the GUI for resource policy based on how it is now because it will probably be different in a few months.