This article shows how to create Azure Policy Assignments to prevent Azure Administrators or Devepores from creating expensive Virtual Machines. and create some resource types (for example express Route)
We will cover steps using Azure Portal and PowerShell
We will be using the following existing two policies
• Allowed virtual machine size SKUs Policy Assignment
• Not allowed resource types
Navigate to Policy-Definitions, and search for Allowed virtual machine size SKUs definitions. Select Assign form right menu
On the Basic tab leave it as default. By default, this policy will be assigned to the whole subscription
Navigate to the Parameters tab and select all SKUs which you want to be available for your users
After you assign a policy, this is a screen which will be available during VM creation. The end-users will see which VM is blocked and which are allowed.
Setup Policy Assignment using PowerShell
You can use this script to create policy assignments. Just add your SKUs in $SKUs variable.
$Subscriptionid=”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
$location=”Canada Central”
# Create an Azure Policy Assignment (Allowed virtual machine size SKUs)
# Allow VM creation only for the following SKUs
$SKUs=”Standard_A1_v2″,
“Standard_A2_v2”,
“Standard_A2m_v2”,
“Standard_A4_v2”,
“Standard_A8_v2”,
“Standard_B1ms”,
“Standard_B1s”,
“Standard_B2ms”,
“Standard_B2s”,
“Standard_B4ms”,
“Standard_D1_v2”,
“Standard_D16ds_v5”,
“Standard_D16s_v3″
$PolicyAssignmentName=”Allowed virtual machine size SKUs”
$Policy = Get-AzPolicyDefinition -Builtin | Where-Object {$_.Properties.DisplayName -eq “Allowed virtual machine size SKUs”}
$Parameter = @{“listOfAllowedSKUs”=@($SKUs)}
New-AzPolicyAssignment -Name $PolicyAssignmentName -PolicyDefinition $Policy -Scope “/subscriptions/$SubscriptionId” -PolicyParameterObject $Parameter -Location $location -AssignIdentity
We can use the following commands to check is assignment has been assigned
$Policy = Get-AzPolicyAssignment -Name “Allowed virtual machine size SKUs”
#($Policy).Properties.Parameters
($Policy).Properties.Parameters.listOfAllowedSKUs | fl
NOT ALLOWED RESOURCE TYPES
Setup Policy Assignment using Portal
To set up this policy assignment, type Not Allowed Resource Types in search and navigate to the Assign buttons as presented in the following pictures.
On the Basic tab leave it as default. By default, this policy will be assigned to the whole subscription
Navigate to the Parameters tab and select all services which you do not want to be available for your users
Setup Policy Assignment using PowerShell
You can use this script to create policy assignment. Just add your resources s in $BlockResources variable.
$Subscriptionid=”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
$location=”Canada Central”
# Create an Azure Policy Assignment (Not allowed resource types)
# Dendy creation only for the following resource types
$BlockResources=
“microsoft.network/expressroutecircuits”,
“microsoft.network/expressroutegateways”,
“microsoft.network/p2svpngateways”,
“microsoft.network/vpngateways”
$PolicyAssignmentName=”Not allowed resource types”
$Policy = Get-AzPolicyDefinition -Builtin | Where-Object {$_.Properties.DisplayName -eq “Not allowed resource types”}
$Parameter = @{“listOfResourceTypesNotAllowed”=@($BlockResources)}
New-AzPolicyAssignment -Name $PolicyAssignmentName -PolicyDefinition $Policy -Scope “/subscriptions/$SubscriptionId” -PolicyParameterObject $Parameter -Location $location -AssignIdentity -Verbose
We can use the following commands to check if an assignment has been assigned
$Policy = Get-AzPolicyAssignment -Name “Not allowed resource types”
#($Policy).Properties.Parameters
($Policy).Properties.Parameters.listOfResourceTypesNotAllowed | fl