Azure Policy | Limit the Azure VM Sizes
This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.
Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.
Limit the Azure VM Sizes
In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy to a whole Management group, to a Subscription or to a single Resource Group.
Step by Step Guide
Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.
At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.
At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.
The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.
To select the VM sizes, the scope and apply the definition, press “Assign”
Set the scope
At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.
For scope, we can select a whole Management group, a whole subscription or a single Resource Group.
Select the Azure VM SKUs
After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.
At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.
We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”
The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.
We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.
A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.
Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.
Test the policy
To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.
And the error details: “disallowed by policy”
You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/