Home / Blog /

Enforce Restrictions with Azure Policy

15 May 2020 • 6 min read

Azure Policy is used to enforce standards and assess compliance at scale. You may leverage on built-in policies to enforce certain restrictions, or create a custom policy if none of the built-in policies is suitable for your use cases. For myself, Azure Policy is useful for restricting the SKUs / tiers of resources to create, such as App Service Plan.

Built-in Azure Policies

1. Once you login to Azure Portal, search for "Policy" and click on it in the search result.

2. Click on "Definitions" on the left navigation menu, you should see a long list of built-in and custom policies. Feel free to explore; there may be some policies which may benefit your use cases. Azure Built-In Policies

3. To assign a policy to any subscription or resource group, click on the name of the Policy Definitions. I am using "Allowed virtual machine SKUs" as an example. Click "Assign" on the next page.

4. Click on "..." beside the scope text field. Select a subscription (optional: and a resource group) in the blade which appear on the right. Assign Azure Policy

5. Click on "Parameters" and select the SKUs to whitelist. Assign Azure Policy

6. Click "Review + create" and on the last page, click "Create". The policy will be enforced at the subscription or resource group level, depending on your selection in step 4.

Custom Azure Policies

In order to demonstrate the creation of custom policies, I will create a custom policy to allow certain SKUs for App Service Plan.

1. Create a custom policy

On the "Definitions" page of Policy, click on "+ Policy Definition". Select a subscription for "Definition Location" and fill up the name. Azure Built-In Policies

2. Default Policy Rule

This is the default policy rule supplied by Azure:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      }
    }
  }
}

3. Replace The "policyRule" Block

Replace the "policyRule" block in the above JSON code with the following code:

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Web/serverfarms"
      },
      {
        "not": {
          "field": "Microsoft.Web/serverfarms/sku.name",
          "in": "[parameters('listOfAllowedSKUs')]"
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Refer to Azure Templates Documentation for the full list of resource types. For App Service Plan, you may find it under Web > 2019-08-01 > Serverfarms (without the /) in the left navigation menu. Microsoft.Web resource types

The "type" in the JSON code is the resource type.

The clause below actually allows only SKUs whitelisted (via "Parameters" when assigning a policy to a subscription / resource group) to be selected when creating a new App Service Plan.

{
  "not": {
    "field": "Microsoft.Web/serverfarms/sku.name",
    "in": "[parameters('listOfAllowedSKUs')]"
  }
}

4. Replace The "parameters" Block

Replace the "parameters" block in step 2 with the following JSON code:

"parameters": {
  "listOfAllowedSKUs": {
      "type": "Array",
      "metadata": {
          "displayName": "listOfAllowedSKUs",
          "description": "List of Allowed SKUs"
      },
      "allowedValues": [
          "D1",
          "F1",
          "B1",
          "B2",
          "B3"
      ]
  }
}

"allowedValues" list the values which are allowed to be selected in the "Parameters" section when assigning a policy. Feel free to add more values in "allowedValues" as needed.

5. Policy Rule After Replacement

After replacing the blocks of code in step 3 and 4, the Policy Rule should look like this:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/serverfarms"
        },
        {
          "not": {
            "field": "Microsoft.Web/serverfarms/sku.name",
            "in": "[parameters('listOfAllowedSKUs')]"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "listOfAllowedSKUs": {
      "type": "Array",
      "metadata": {
        "displayName": "listOfAllowedSKUs",
        "description": "List of Allowed SKUs"
      },
      "allowedValues": ["D1", "F1", "B1", "B2", "B3"]
    }
  }
}

6. Save and Assign

Click "Save" to save the custom policy. You may wish to follow Step 3 - 6 in the section "Built-In Azure Policies" of this article to assign this custom policy (instead of a built-in policy) to a subscription / resource group.

7. Verify The Assigned Custom Policy

After assigning the policy successfully, you may try to create a Web App with an App Service Plan which do not have the SKU whitelisted, you will see the following error. Creation of Web App denied

TL;DR

Azure Policy is useful in implementing organisation-wide standards and compliance. It can help to enforce certain restrictions, such as preventing the creation of certain SKUs / tiers of resources. It can also improve security of your infrastructure and applications indirectly by enforcing some requirements, such as using the latest TLS version in your API app.

MicrosoftAzureCompliance