Last Update: Sep 04, 2024 | Published: Apr 07, 2017
Microsoft has launched a preview of managing Azure Resource Policy using a graphical interface. This post will explain what this preview offers.
Resource Policy is a very nice feature in Azure Resource Manager (ARM) that allows you to control what delegated administrators can do in an Azure subscription or resource group. For example, you can limit what series and sizes of virtual machines can be deployed. I use the JSON policy to control what can be deployed in a set of subscriptions that my employer uses for training purposes. Previously, one attendee went nuts with virtual machines, running SQL Server, and ran up a nice bill in a few days.
Azure Resource Policy is written in a form of JSON, which you can see in the previously mentioned example. As much as I evangelize the benefits of JSON, I suspect that the adoption rate will mimic that of PowerShell. This is very high in blog readers and conference attendees but quite low in the much larger world of IT pros.
A preview of Azure Resource Policy administration in the Azure Portal was launched on May 9th. This preview is running in the preview release of the Azure Portal, which was once called the Preview Portal. It provides an easy way to create and assign some simple resource policies. However, you can still edit JSON policies using a tool such as VS Code. Simply upload the policy using PowerShell and then use the portal administration experience to assign the policies to the subscription or resource groups.
You must use the preview portal, which is available on https://preview.portal.azure.com. Browse to Subscriptions and then to Policies. This is where all of your policy administration will appear in the portal. You can also see all the policies that were created and uploaded using PowerShell.
Click +Add Assignment to start making a policy. The blade Add Assignment will appear. Enter the following information:
In the below example, I have restricted resource creation to East US and West US.
Let’s get back to those policy definitions. There is a range available to select in the preview. Note that your manually created policies, uploaded using Azure, are available to select from, too:
It is possible to stack assignments. In the below example, one policy only allows A1_v1 virtual machines to be deployed. A second policy only allows East US and West US to be used. The combination of these policies means that the only virtual machines that can be deployed are the A1_v1 series and size. They also must be deployed in either East US or West US.
A policy that is assigned to a subscription is inherited by all resource groups. If I assign a policy to a subscription that only allows deployments in East US and West US, then this policy is assigned to all resource groups.
If a resource group within that resource group only allows A1_v1 virtual machines, then those virtual machines can only be deployed in East US and West US.
We can do the following in the portal:
The administrative experience for resource policies is a bit light on features, but this is a cloud service preview. As always, the service will likely go live with the core functionality. Based on customer feedback and product plans, the service will evolve rapidly. Don’t judge the GUI for resource policy based on how it is now because it will probably be different in a few months.