Azure

How To Create Your Own Azure Custom Policy

Introduction

 

Before creating Azure custom policies, I want to explain a bit of background regarding the policies. It is an integral part of Azure governance so here the question comes what governance is. Azure governance is same like the other governance principals applied by our government and all the organization those wanted to implement their own policies in the organization in order to be compliant. Nowadays we have also heard about the word “GDPR” this is also the type of governance that has been imposed globally and it is related to personal data protection policies, so organizations that are dealing with any kind of personal data need to be compliant with this.

 

We talked too much about governance, let’s come back to the Azure policies, these are the policies that can be implemented by the organizations on Azure subscriptions or management group level in order to secure the environment, meaning via Azure policies we can control the behavior of resource provisioning in Azure. Resources with undesired configuration can be denied by the policy or an additional resource/service can be deployed/audited by the policy. Some use cases for Azure policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.

 

For e.g. suppose an XYZ organization that is operating only in Asia pacific and doesn’t want to provide the resources in the US region. So by using an Azure policy we can restrict this behavior.

 

Types of policies

 

Basically, there are two types of policies available in Azure,

  1. Built-in
    These are pre-inbuilt policies that are provided by Microsoft and can be used as it is according to the requirement but cannot be altered.
  2. Custom
    These policies can be created by own as per our requirement and customized accordingly, here I will explain how to create a custom policy.

Type of Effects

 

As we all know and its name suggests, a policy is basically a kind of rule that has some effect if that particular rule is implemented. In the same way, the Azure policy also contains a Rule and Effect of that Rule after assigned.

 

There are some common effects that can be used while creation of a custom policy in Azure.

 

Deny

 

Deny Resource creation if the checked condition is true

Audit

 

Resource creation won’t be denied but an alert will show the non-compliance of the resource

AuditIfNotExists

 

If the existing condition is true, resource compliant; if not, resource non-compliant. Resource creation won’t be blocked

DeployIfNotExists

 

If the existing condition is true, no effect, no deployment; if the existence condition is false, effect activated, deployment of a right configuration or of a sub-resource.

 

Effects Categorization

  • Detection Effects – Audit , auditIfnotExists
  • Prevention Effects – Deny
  • Remediation effects – DeployIfnotExists

A policy can be implemented and deployed in two parts,

  1. Create the policy definition
  2. Assign the definition to a subscription/management group.

Let’s see how a custom policy can be created using the Azure portal.

 

Steps

  1. Go to the portal and search for “Policy” in the marketplace then click on highlighted service.

  2. Click on “definitions”.
    How To Create Own Azure Custom Policy
  3. Click on +Policy definition.
    How To Create Own Azure Custom Policy

  4. You can choose “definition location” either your subscription/management group and definition name, description, policy rule, and then click on “Save”.
    How To Create Own Azure Custom Policy
    How To Create Own Azure Custom Policy
    How To Create Own Azure Custom Policy

    1. {          
    2.     “mode”“All”,      
    3.     “policyRule”: {      
    4.       “if”: {      
    5.         “allOf”: [      
    6.           {      
    7.             “field”“type”,      
    8.             “equals”“Microsoft.Resources/subscriptions/resourceGroups”      
    9.           },      
    10.           {      
    11.             “field”“[concat(‘tags[‘, parameters(‘tagName’), ‘]’)]”,      
    12.             “exists”“false”      
    13.           }      
    14.         ]      
    15.       },      
    16.       “then”: {      
    17.         “effect”“deny”      
    18.       }      
    19.     },      
    20.   “parameters”: {      
    21.       “tagName”: {      
    22.         “type”“String”,      
    23.         “metadata”: {      
    24.           “displayName”“Tag Name”,      
    25.           “description”“Name of the tag, such as ‘environment'”      
    26.         }      
    27.       }      
    28.     }      
    29. }     

Conclusion

 

We have successfully created a custom policy in Azure with Deny effect and are able to validate the effect in action. It is easy to create these policies and secure the environment against undesired configuration resource creation. It works well in big organizations that have a lot of subscriptions to manage the resource and governance.

Tags
Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Close