0
0
Azurecloud~5 mins

Azure Policy for governance - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Azure Policy helps you set rules for your cloud resources so they follow your company's rules. It stops mistakes and keeps your cloud safe and organized.
When you want to make sure all virtual machines use approved sizes only.
When you need to block creation of resources in certain locations to control costs.
When you want to enforce tagging on all resources for easy tracking.
When you want to audit if any storage accounts allow public access.
When you want to automatically apply security settings to new resources.
Config File - policy-definition.json
policy-definition.json
{
  "properties": {
    "displayName": "Allowed VM sizes",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy limits the VM sizes that can be deployed.",
    "parameters": {
      "listOfAllowedSizes": {
        "type": "Array",
        "metadata": {
          "description": "The list of allowed VM sizes.",
          "displayName": "Allowed VM sizes",
          "strongType": "VMSizes"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "Microsoft.Compute/virtualMachines/sku.name",
        "notIn": "[parameters('listOfAllowedSizes')]"
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

This JSON file defines a policy that restricts virtual machine sizes to a specific list.

properties.displayName: The name shown in Azure Policy.

properties.parameters.listOfAllowedSizes: The VM sizes allowed.

properties.policyRule: The rule that denies VM creation if size is not allowed.

Commands
This command creates a new Azure Policy definition named 'AllowedVMSizes' using the rules in the JSON file. It sets the policy to apply to all resource types.
Terminal
az policy definition create --name AllowedVMSizes --display-name "Allowed VM sizes" --description "Limit VM sizes to approved list" --rules policy-definition.json --mode All
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/AllowedVMSizes", "name": "AllowedVMSizes", "properties": { "displayName": "Allowed VM sizes", "description": "Limit VM sizes to approved list", "metadata": {}, "mode": "All", "policyRule": { "if": { "field": "Microsoft.Compute/virtualMachines/sku.name", "notIn": ["Standard_DS1_v2", "Standard_DS2_v2"] }, "then": { "effect": "deny" } }, "parameters": { "listOfAllowedSizes": { "type": "Array", "metadata": { "description": "The list of allowed VM sizes.", "displayName": "Allowed VM sizes", "strongType": "VMSizes" } } } }, "type": "Microsoft.Authorization/policyDefinitions" }
--name - Sets the unique name for the policy definition.
--rules - Specifies the JSON file with the policy rules.
--mode - Defines which resource types the policy applies to.
This command assigns the 'AllowedVMSizes' policy to a specific resource group named 'example-rg' and sets the allowed VM sizes to two specific types.
Terminal
az policy assignment create --name EnforceAllowedVMSizes --policy AllowedVMSizes --params '{"listOfAllowedSizes":{"value":["Standard_DS1_v2","Standard_DS2_v2"]}}' --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Authorization/policyAssignments/EnforceAllowedVMSizes", "name": "EnforceAllowedVMSizes", "properties": { "displayName": "Allowed VM sizes", "policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/AllowedVMSizes", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg", "parameters": { "listOfAllowedSizes": { "value": [ "Standard_DS1_v2", "Standard_DS2_v2" ] } }, "enforcementMode": "Default" }, "type": "Microsoft.Authorization/policyAssignments" }
--policy - Specifies which policy definition to assign.
--params - Sets the parameters for the policy assignment.
--scope - Defines where the policy applies, here a resource group.
This command checks the compliance state of resources under the 'EnforceAllowedVMSizes' policy assignment to see if any resources violate the policy.
Terminal
az policy state list --query "[?policyAssignmentName=='EnforceAllowedVMSizes']"
Expected OutputExpected
[]
--query - Filters the output to show only states related to the specific policy assignment.
Key Concept

If you remember nothing else from this pattern, remember: Azure Policy lets you set rules that automatically check and enforce how your cloud resources are created and used.

Common Mistakes
Not specifying the correct scope when assigning the policy.
The policy won't apply where you expect, so resources can be created without restrictions.
Always use the correct subscription or resource group ID in the --scope flag.
Using an incorrect JSON format in the policy definition file.
Azure will reject the policy creation with an error.
Validate your JSON syntax and structure before creating the policy.
Not providing required parameters when assigning a policy that needs them.
The policy assignment will fail or not enforce the intended rules.
Always pass parameters using the --params flag in correct JSON format.
Summary
Create a policy definition JSON file that sets the rules for resource compliance.
Use 'az policy definition create' to register the policy in Azure.
Assign the policy to a scope like a resource group with 'az policy assignment create' and set parameters.
Check compliance status with 'az policy state list' to see if resources follow the rules.