Azure Policy Fundamentals: Building Blocks of Effective Cloud Governance

Consider an organization that wants to control costs by standardizing the VM sizes across its Azure environment. This is crucial for optimizing resource allocation, avoiding unnecessary expenses, and ensuring consistent performance.

This blog will explore a crucial Azure Policy—” Allowed Virtual Machine Size SKUs”. This policy empowers organizations to control costs by enforcing only approved Virtual Machine (VM) size SKUs.

Why the "Allowed Virtual Machine Size SKUs" Policy Matters:

The "Allowed virtual machine size SKUs" policy, a built-in policy type operating in indexed mode, provides a robust solution for organizations seeking to define and restrict the virtual machine size SKUs deployable within their Azure environment.

Its primary objective is to prevent the use of unauthorized VM sizes, ensuring adherence to specific size SKU standards set by the organization.

1. Policy review:

"displayName": "Allowed virtual machine size SKUs",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy."

Analyzing the metadata reveals that the policy is called "Allowed virtual machine size    SKUs," is in Indexed mode, and is classified as a Built-In policy. The brief explanation emphasizes the goal of the policy, which is to list the acceptable SKUs for VM sizes inside the company.

2. Policy Parameters:

"parameters":{
 "listOfAllowedSKUs": {
    "type": "Array",
     "metadata": {
    "description": "The list of size SKUs that can be specified for virtual machines.",
       "displayName": "Allowed Size SKUs"
   }
   }
 },

One important element included in the policy is "listOfAllowedSKUs." Users can specify the exact VM size SKUs that are considered appropriate in their organization by entering this array parameter. The information makes this crucial parameter''s purpose and display name clear.

3. Policy Rule Logic:

a) Resource Type Check:

"if": {
 "allOf": [
    {
  "field": "type",
  "equals": "Microsoft.Compute/virtualMachines"
     },       // Additional Conditions, if any     ]   },

The policy rule logic is started in this segment by determining whether the resource type being targeted is a "Microsoft.Compute/virtualMachines." This requirement guarantees that the policy only applies to virtual machine instances and provides context for the checks that follow.

b) VM Size SKU Validation:

{
 "not": {
"field": "Microsoft.Compute/virtualMachines/sku.name",
   "in": "[parameters(''listOfAllowedSKUs'')]"
  }
  }

This subpart concentrates on VM size SKU validation inside the larger condition. The "sku.name" of the virtual machine (VM) being built or updated is checked to make sure it is not on the specified "listOfAllowedSKUs." This condition evaluates to true if the SKU is not on the list of permitted items.

c) Deny Effect:

"then": {     "effect": "Deny"   }

This section determines the outcome if the criteria listed in the preceding sections are satisfied. When a VM instance with a prohibited size SKU is created or updated, the "Deny" effect is activated, making it impossible.

Full Code Snippet:

{
    "properties": {
        "displayName": "Allowed virtual machine size SKUs",
         "policyType": "BuiltIn",
          "mode": "Indexed",
        "description": "This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy.",
         "parameters": {
       "listOfAllowedSKUs": {
             "type": "Array",
             "metadata": {
             "description": "The list of size SKUs that can be specified for virtual   machines.",
                  "displayName": "Allowed Size SKUs"
          }
        }
     },
      "policyRule": {
       "if": {
            "allOf": [
                  {
                   "field": "type",
                        "equals": "Microsoft.Compute/virtualMachines"
                 },
            {
              "not": {
                         "field": "Microsoft.Compute/virtualMachines/sku.name",
                       "in": "[parameters(''listOfAllowedSKUs'')]"
                     }
         }
   ]
    },
     "then":
 {                "effect": "Deny"             }
       }
   }
 }

Navigating the Azure Policy Portal: A Step-by-Step Guide

1. Access Azure Policy in the Portal:

2. Define a New Policy: 1. Click on "Definitions" and then "+ Add policy definition." 2. Provide a unique name, category, and description for your policy. Paste the policy JSON snippet into the editor

3. Configure and Save:

1. Set any necessary parameters in the policy rule section. 2. Click "Save" to create the policy definition, ready for assignment in your Azure environment.

I strongly recommend that you investigate additional policies that supplement and improve your governance approach as you learn more about Azure Policy''s capabilities.

Consider the following policy, for example

1. Compute - DoubleEncryptionRequired_Deny
2. Compute - VMRequireManagedDisk_Audit
3. Network - NetworkSecurityGroupOnGatewaySubnet_Deny
4. Storage - AllowedStorageSkus_Audit