Microsoft Azure Administrator:Exam Guide AZ-103
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Azure Policy

With Azure Policy, you can create policies that enforce rules over your Azure resources. This way, resources stay compliant with service-level agreements and corporate standards. With Azure Policy, you can evaluate all the different Azure resources for non-compliance. For example, you can create a policy to allow only a certain size of VM in your Azure environment. When the policy is created, Azure will check all the new and existing VMs to see whether they apply to this policy. 

Azure Policy is different than RBAC because Azure Policy focuses on resource properties for existing resources and during deployment. RBAC focuses on user actions at different scopes. A user can be added to the owner role in a resource group, for instance, which will give the user full rights to that resource group.

Azure offers built-in policies and custom policies. Some examples of these built-in policies are as follows:

  • Allowed VM SKUs: This policy specifies a set of VM sizes and types that can be deployed in Azure.
  • Allowed locations: This policy restricts the available locations where resources can be deployed.
  • Not allowed resource types: This policy prevents certain resource types from being deployed.
  • Allowed resource types: This policy defines a list of resource types that you can deploy. Resource types that are not on the list can't be deployed inside the Azure environment.
  • Allowed storage account SKUs: This policy specifies a set of storage account SKUs that can be deployed.

If the built-in policies don't match with your requirements, you can create a custom policy instead. Custom policies are created in JSON and look like the following example. The first part of the code sets the different properties: 

{
    "properties": {
        "displayName": "Deny storage accounts not using only HTTPS",
        "description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.",
        "mode": "all",
        "parameters": {
            "effectType": {
                "type": "string",
                "defaultValue": "Deny",
                "allowedValues": [
                    "Deny",
                    "Disabled"
                ],
                "metadata": {
                    "displayName": "Effect",
                    "description": "Enable or disable the execution of the policy"
                }
            }
        },

In this part of the code, we are looking at the policy rule:

       "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Storage/storageAccounts"
                    },
                    {
                        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                        "notEquals": "true"
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effectType')]"
            }
        }
    }
}

Policies are assigned at the management group level, the subscription level, or the resource group level.

本周热推:
Windows内核编程PLC控制程序精编108例电脑组装与系统安装Linux内核深度解析30天自制操作系统
上一章目录下一章