Hi there
We can use Azure Policy to enforce specific azure resources to be created only on specific locations in Azure Regions such as: CanadaCentral
This Azure policy enforcement should be used to keep your Azure Resource Group clean having all of its own azure resource items created within the same Azure Region.
Before you move forward please create the Azure Resource for this demonstration
New-AzResourceGroup -Name Demo -Location “canadacentral”
TIP!
- if you have multiple definitions on the same policy you will have to fulfill all prerequisites during the azure resources creation before having them created properly
- always define and use naming conventions that reminds you its actions such as Allowed locations_canadacentral
Policy example
{
"properties": {
"mode": "all",
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources",
"strongType": "location",
"displayName": "Allowed locations"
},
"defaultValue": [ "canandacentral" ]
}
},
"displayName": "Allowed locations",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
Steps
Log on Azure Portal and search for “Policy” at the Azure Marketplace and click on it.
Now you’re at the Policy Blade – You will see a standard policy if that’s your first time working with Policies withing your Azure Subscription. Otherwise, you’ll see all available and assigned policies.
On this screen you have the following:
- Authoring
- Assignments: A policy assignment is a policy definition that has been assigned to take place within a specific scope.
- Definitions: Start here! Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met.
- Scope: A scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the policy definition is assigned to. Policy assignments are inherited by all child resources.
Click on Authoring \ Definitions
On this screen you have the following:
- You can add, edit or delete an Initiative
- You can add, edit or delete a Definition
- you can use the search fields to look for an specific Initiative or Policy Definition
Click on Allowed locations_canadacentral custom policy
Check the following:
- Definition: the policy itself (you can copy, paste, edit the policy you want to deploy)
- Assignments:
- Parameters:
At Parameters you can assign, edit (copy and paste) the current policy
At Assignments you check what it’s configured on it (click on the policy name “Allowed locations_canadacentral “)
Then you’ll see the fields:
- Basics
- Scope: in which Subscription ID this Policy is applied to
- Exclusions: it’s for the Azure Resources Groups excluded for this policy assignments
- Assignment name: use the same policy name
- Policy enforcement: Enabled (set as enabled to have this working)
- Assigned by: who created and assigned the policy
Exclusions expanded
- all the highlighted Azure Resources (on scope) will not receive this Policy enforcement.
Parameters
- same information from the JSON file policy
Policy in action
Go to Demo1 Azure Resource Group and try to create a new storage account on “Central US”
It will fail on validation pointing to the Azure Policy name in place.
Error detailed
Click “Previous” or “Basics” and select Canada Central as Location for this Storage Account proceed through the NEXT screen until the validation to make sure that’s gonna pass now. Proceed with the Storage Account creation by clicking on Create (blue button)
thanks,
Thiago Beier
