Azurecloud~30 mins

Azure Policy for governance - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Azure Policy for governance

📖 Scenario: You are working as a cloud administrator for a company that wants to enforce rules on their Azure resources to keep them secure and compliant. You will create an Azure Policy that restricts the creation of virtual machines to only specific allowed sizes.

🎯 Goal: Create an Azure Policy definition that restricts virtual machine sizes to a specific list, assign this policy to a resource group, and verify the policy enforcement.

📋 What You'll Learn

Create an Azure Policy definition named allowedVMsizes that restricts VM sizes to Standard_DS1_v2 and Standard_DS2_v2

Create a policy assignment named restrictVMsizesAssignment targeting the resource group TestResourceGroup

Use the policy effect Deny to prevent disallowed VM sizes

Use JSON format for the policy definition and assignment

💡 Why This Matters

🌍 Real World

Azure Policy helps organizations enforce rules and compliance automatically on their cloud resources, preventing misconfigurations and security risks.

💼 Career

Cloud administrators and governance specialists use Azure Policy to maintain control over resource configurations and ensure compliance with company standards.

Progress0 / 4 steps

Create the Azure Policy definition JSON

Create a JSON object called policyDefinition that defines an Azure Policy with the name allowedVMsizes. The policy should have a policyRule that denies creation of virtual machines with sizes other than Standard_DS1_v2 and Standard_DS2_v2. Use the if condition to check the Microsoft.Compute/virtualMachines/sku.name property and the effect should be Deny.

Azure

# Your code here to create policyDefinition JSON object

Need a hint?

Use the policyRule with if and then blocks. The if should check the VM size field and deny if not in the allowed list.

Create the policy assignment JSON

Create a JSON object called policyAssignment that assigns the policy allowedVMsizes to the resource group TestResourceGroup. The assignment should have the name restrictVMsizesAssignment and use the Deny effect.

Azure

{
  "policyDefinition": {
    "name": "allowedVMsizes",
    "properties": {
      "displayName": "Allowed VM sizes",
      "policyType": "Custom",
      "mode": "All",
      "description": "This policy restricts virtual machine sizes to Standard_DS1_v2 and Standard_DS2_v2.",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "not": {
                "field": "Microsoft.Compute/virtualMachines/sku.name",
                "in": ["Standard_DS1_v2", "Standard_DS2_v2"]
              }
            }
          ]
        },
        "then": {
          "effect": "Deny"
        }
      }
    }
  }
}

# Your code here to create policyAssignment JSON object

Need a hint?

Use the policyAssignment object with name, properties.policyDefinitionId, and properties.scope fields. Replace {subscriptionId} with your subscription ID when deploying.

Add parameters to the policy definition

Modify the policyDefinition JSON to add a parameters section that allows specifying the list of allowed VM sizes. Name the parameter allowedSizes with type Array and default value ["Standard_DS1_v2", "Standard_DS2_v2"]. Update the policyRule to use this parameter instead of the hardcoded list.

Azure

{
  "policyDefinition": {
    "name": "allowedVMsizes",
    "properties": {
      "displayName": "Allowed VM sizes",
      "policyType": "Custom",
      "mode": "All",
      "description": "This policy restricts virtual machine sizes to Standard_DS1_v2 and Standard_DS2_v2.",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "not": {
                "field": "Microsoft.Compute/virtualMachines/sku.name",
                "in": ["Standard_DS1_v2", "Standard_DS2_v2"]
              }
            }
          ]
        },
        "then": {
          "effect": "Deny"
        }
      }
    }
  },
  "policyAssignment": {
    "name": "restrictVMsizesAssignment",
    "properties": {
      "displayName": "Restrict VM sizes assignment",
      "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/allowedVMsizes",
      "scope": "/subscriptions/{subscriptionId}/resourceGroups/TestResourceGroup",
      "enforcementMode": "Default"
    }
  }
}

# Your code here to add parameters and update policyRule to use parameters

Need a hint?

Add a parameters section in properties with the allowed sizes array. Use parameters('allowedSizes') in the policyRule instead of the hardcoded list.

Complete the policy assignment with parameter values

Update the policyAssignment JSON to include the parameters property that sets allowedSizes to ["Standard_DS1_v2", "Standard_DS2_v2"]. This completes the policy assignment with the parameter values.

Azure

{
  "policyDefinition": {
    "name": "allowedVMsizes",
    "properties": {
      "displayName": "Allowed VM sizes",
      "policyType": "Custom",
      "mode": "All",
      "description": "This policy restricts virtual machine sizes to allowed sizes.",
      "parameters": {
        "allowedSizes": {
          "type": "Array",
          "metadata": {
            "displayName": "Allowed VM sizes",
            "description": "The list of allowed virtual machine sizes.",
            "strongType": "VMSize"
          },
          "defaultValue": ["Standard_DS1_v2", "Standard_DS2_v2"]
        }
      },
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "not": {
                "field": "Microsoft.Compute/virtualMachines/sku.name",
                "in": "[parameters('allowedSizes')]"
              }
            }
          ]
        },
        "then": {
          "effect": "Deny"
        }
      }
    }
  },
  "policyAssignment": {
    "name": "restrictVMsizesAssignment",
    "properties": {
      "displayName": "Restrict VM sizes assignment",
      "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/allowedVMsizes",
      "scope": "/subscriptions/{subscriptionId}/resourceGroups/TestResourceGroup",
      "enforcementMode": "Default",
      # Add parameters property here
    }
  }
}

# Your code here to add parameters property to policyAssignment

Need a hint?

Add the parameters property inside policyAssignment.properties with the allowedSizes value array.