I have always been a huge fan of the concept of configuring things from UI. Not only because it is easy and makes life sorted but also because you know exactly what you are doing and can easily predict an impact of your actions simply by taking a look at the UI help documentation; i.e., Tooltips on UI for this matter.
Azure resource policies have been around for a long time, however their configuration and assignment is not that easy especially when you are left with limited options such as CLI, PowerShell and REST APIs.
If you do not know about Azure policies, it is highly recommended that you should learn about these here. For IT administrators, it has turned out to be a highly powerful feature, which makes them control their Azure subscriptions effectively by controlling cost and managing organization policies over resources easily.
Typical example of resource policies can be if an administrator wants to restrict the creation of high cost resources in training subscription or provisioning of resources only in a particular region or resource names should follow specific naming conventions etc.
Traditional approach
The traditional approach of defining policies involved the creation of JSON templates which has the key components given below.
- Policy Rules and Evaluation (If else block with logical operators for evaluation).
- Effect
Once the JSON template is drafted, the next step is to provision the template based policy in Azure subscription. Once policy definition is created, policy assignment is the next step. It is done by specifying the scope. Scope is nothing but the coverage for a policy i.e. whether the policy would be applied at the resource group level or at the entire subscription level.
PowerShell commands given below are available to create JSON based policy definition and to assign the existing policy definitions at the various scopes.
New-AzureRmPolicyDefinition and New-AzureRmPolicyAssignment
UI Support in Preview portal
Well, though the process to provision the multiple policies looks quite straight forward, its management becomes challenging especially when you are dealing with huge and complex sets of policies for multiple subscriptions.
With this background, preview portal has brought great news for folks like me, who absolutely enjoy configuring things on UI.
All you need to do is, launch the preview portal by visiting https://preview.portal.azure.com, start configuring and managing your policies on various scopes i.e. Resource group or subscription.
Settings menu helps in locating the action to create policies.
Navigate to the subscriptions options and select your subscription from the listing page.
Select Policies from the settings blade.
Click Add Assignment button from the top action bar menu.
As we can observe this, there are certain commonly used policy definitions that are readily available and we are free to create our own custom policy definitions, using the traditional approach of JSON templates. These custom policy definitions would appear in the options list with ‘[Custom]’ as prepended text to their names. E.g. EnsureDevTag policy is created, using JSON template and provisioned, using PowerShell. Hence, it is appearing in the list and its name is shown as [Custom]: EnsureDevTag.
Let’s select allowed locations policy definition and select Eastern US as the only allowed location for the resources inside our subscription.
As a final step of policy assignment, select the right scope, which is based on your needs. In this example, we will select scope as subscription.
Note that all the resource groups inside our subscription are also listed in the scope dropdown, so that the policy can be assigned to individual resource group level.
After creating the policy, we can view it in the policies list. The policy details as well as the JSON policy can also be seen, using the details bar at the bottom of the page. You can use this JSON for making further customizations and create your custom policies, which are based on the existing policies.
This feature is currently available in Preview portal. I hope it gets on the Azure portal quickly. Apart from it, I would have liked, if UI would be required to create custom policy definitions, so that it would have definitely helped folks, who either aren’t familiar with JSON or do not like to draft those rules in the JSON editor. I assume that too is on the Azure team’s radar. Until then, happy configuring.