Azure Resource Manager Policies

Organizations that choose to utilize cloud computing can find that they are able to be more agile and deliver more services quicker.  Microsoft Azure can provide virtually unlimited access to compute, networking, storage and platform services which can be provisioned in a very short timeframe.   Many organizations find that it is often faster and cheaper to utilize cloud services than to go through a long hardware procurement cycle.  Unfortunately many organizations are not prepared for this new way of working.  Frequently I see organizations adopt cloud computing only to find that their outdated policies and procedures become the reason for slow cloud adoption.

How can IT organizations become a better enabler of agile cloud solution delivery?  One way is to provide a self-service model to agencies and departments where they can request and receive access to cloud resources in minutes instead of days.  Microsoft has many partners that offer comprehensive (and sometimes customized) solutions to enable self service of both Microsoft Azure and on-premises resources.  But what if you are just getting started?  Microsoft Azure provides many options in the management portal such as role based access control (RBAC) and Azure Resource Manager Policies which can help an organization enforce basic governance rules while enabling users from departments and agencies to create cloud resources.   In this post, I will be providing some insight into the often overlooked Azure Resource Manager Policies.

Azure Resource Manager Policies enables Azure subscription administrators the ability to attach specific governance policies to the subscription or to specific resource groups in a subscription.   With RBAC you are assigning roles which allow them to perform specific actions at different scopes within Azure.  For example an RBAC role may allow a user to create resources in a resource group but they cannot manage permissions for that resource group.   Policies, on the other hand, focuses on resource actions at a specific scope.   For example, a policy may require that resources created in a specific resource group can be only created in a specific region.  Other common policy scenarios include:

  • Requiring a CostCenter tag for each resource that is created, or automatically appending a CostCenter tag when a resource is created
  • Only allow a user to create resources from a predefined service catalog
  • Only allow the creation of storage accounts configured for  geographically redundant storage
  • Require that all storage accounts are configured for at rest encryption

Azure Resource Manager Policies are defined using JavaScript Object Notation (JSON).   These policy definitions include one or more conditions or logical operators that define the actions, and an effect that describes what happens when the condition is fulfilled.  Below is a sample policy definition that will deny the creation of a resource unless it has a costCenter tag defined.

{
"if":{
  
"not" : {
     "field" : "tags",
     "containsKey" : "costCenter"
     }
  
},
    "then" : {
      "effect" : "deny"
  }
}

To create the policy definition in Azure you can use the New-AzureRMPolicyDefinition PowerShell cmdlet and pass in either the raw JSON or you can specify a local file that contains the JSON definition.   Once the policy definition has been added to Azure you can use the New-AzureRMPolicyAssignment cmdlet to assign the policy to a specific scope such as the subscription or a resource group.   For an in-depth look at how to create and assign policies, please review the Azure documentation article titled Use Policy to Manage Resources and Control Access.

Creating and deploying Azure Resource Manager Policies is quick and simple, but what happens when you need to manage a large number of polices which might be unique to different resource groups?   How can you ensure that the official policies are always in place and not drifting from the desired state?   The answers to both of these questions is automation.  

One option for automation and management is to use Visual Studio and Visual Studio Online to maintain all of your JSON police files under source control.  You can then utilize the build features of Visual Studio Online to move the JSON policy definition files into an Azure Storage account when a change has been checked in.  Once these files are in a storage account you can utilize PowerShell in Azure Automation runbooks to clear out existing policy assignments and then apply the updated policies.

I recently put together a simple Azure Automation demonstration that automatically applies policies to resource groups in my subscription.   This all starts with an Azure Storage account which is used only for my JSON policy files.   In the storage account I create containers which will hold the actual JSON policy files.  These containers are named exactly the same as the resource group where the policies should apply.    Once I have the storage account and containers in place I uploaded my JSON policy definition files to the appropriate containers.  The final step is to create an Azure Automation runbook that uses PowerShell to read the JSON definitions from each container and apply them to the related Azure Resource Group.   All of this took less than 2 hours to build from scratch.   Once I had everything in place and tested, I setup a recurring schedule to execute the runbook on an hourly basis.   This simple configuration allows me to easily add or remove policies to specific resource groups just by adding or removing JSON files from the containers in the storage account.  

By utilizing the built in RBAC and Policy features in Microsoft Azure you can quickly establish some basic governance which can enable you to empower more people within your organization to use Azure while still maintaining your standards.

One thought on “Azure Resource Manager Policies”

  1. I really enjoy the insight in this article. I think Resource Policy is one of the first things new companies moving to the cloud should enforce (along with monitoring/auditing). Would you share the Azure Automation demonstration you wrote that automatically applies the policy to specific resource groups?

    Thanks!

Leave a Reply