azurepolicy

Azure Policy | Limit the Azure VM Sizes

Azure Policy | Limit the Azure VM Sizes

Azure Governance

This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Limit the Azure VM Sizes

In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy  you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy  to a whole Management group, to a Subscription or to a single Resource Group.

Step by Step Guide

Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

Azure Policy

At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

Azure Policy

At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

Azure Policy

The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.

To select the VM sizes, the scope and apply the definition, press “Assign”

Azure Policy

Set the scope

At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

Azure Policy

For scope, we can select a whole Management group, a whole subscription or a single Resource Group.

Azure Policy

Select the Azure VM SKUs

After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

Azure Policy

At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.

We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”

The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.

We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

Azure Policy

A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

Azure Policy

Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.

Azure Policy

Test the policy

To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

Azure Policy

And the error details: “disallowed by policy”

Azure Policy

You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

Share

Leave a Reply