Task 1: Create a Policy assignment
Sign in to the Azure portal.
search for and select Policy, under the Authoring section click Definitions. Take a moment to review the list of built-in policy definitions. For example, in the Category drop-down select only Compute. Notice the Allowed virtual machine size SKUs definition enables you to specify a set of virtual machine SKUs that your organization can deploy.
Return to the Policy page, under the** Authoring** section click Assignments. An assignment is a policy that has been assigned to take place within a specific scope. For example, a definition could be assigned to the subscription scope.
Click Assign Policy at the top of the Policy - Assignments page.
On the Assign Policy page, keep the default Scope
On the Parameters tab, select Japan West. Click Review + create, and then Create.
Note: A scope determines what resources or grouping of resources the policy assignment applies to. In our case we could assign this policy to a specific resource group, however we chose to assign the policy at subscription level. Be aware that resources can be excluded based on the scope configuration. Exclusions are optional.
Note: This Allowed Locations policy definition will specify a location into which all resources must be deployed. If a different location is chosen, deployment will not be allowed. For more information view the Azure Policy Samples page.
The Allowed locations policy assignment is now listed on the Policy - Assignments pane and it is now in place, enforcing the policy at the scope level we specified (subscription level).
Task 2: Test Allowed location policy
In the Azure Portal, search for and select Storage accounts, and then click + Create.
Configure the storage account letters and digits such that the name is globally unique. Leave the defaults for everything else.
Click Review + create and then click Create.
You will receive the deployment failed error stating that resource was disallowed by policy, including the Allowed locations policy name
.
Task 3: Delete the policy assignment
In this task, we will remove the Allowed location policy assignment and test.
We will delete the policy assignment to ensure we are not blocked on any future work we wish to do.
- search for and select Policy, and then click your Allowed locations policy.
Note: On the Policy blade, you can view the compliance state of the various policies you have assigned.
Note: The Allowed location policy may show non-compliant resources. If so, these are resources created prior to the policy assignment.
Click Allowed Locations It will open an Allowed locations Policy Compliance window.
Click Delete Assignment in the top menu. Confirm you wish to delete the policy assignment by clicking Yes
Try to create another storage account to ensure the policy is no longer in effect.
Note: Common scenarios where the Allowed locations policy can be useful include:
Cost Tracking: You could have different subscriptions for different regional locations. The policy will ensure that all resources are deployed in the intended region to help cost tracking.
Data Residency and Security compliance: You could also have data residency requirements, and create subscriptions per customer or specific workloads, and define that all resources must be deployed in a particular datacenter to ensure data and security compliance requirements.
Congratulations! You have created an Azure Policy to restrict deployment of Azure resources to a particular datacenter.
Note: To avoid additional costs, you can optionally remove this resource group. Search for resource groups, click your resource group, and then click Delete resource group. Verify the name of the resource group and then click Delete. Monitor the Notifications to see how the delete is proceeding.
Top comments (0)