Azure Policy with CLI

Azure Policy is a service in Azure that allows you to create, assign, and manage policies that enforce rules and effects over your resources. In this tutorial, we will cover how to create a policy using Azure Portal and CLI commands. We will also learn how to assign the policy to a resource group and verify that the policy is being enforced.

Prerequisites

Before we begin, you need to have the following:

  • An Azure subscription
  • Azure CLI installed on your local machine (you can download it from here)
  • Basic understanding of Azure Resource Manager and Azure Policy

Create a Policy using Azure Portal

  1. Sign in to your Azure account and navigate to the Azure Portal.
  2. Click on “Policy” from the left-hand side menu.
  3. Click on “Definitions” and then click on “Add”.
  4. Fill in the required fields such as name, description, and policy rule.
  5. Click on “Review + create” and then click on “Create”.

Your policy is now created and ready to be assigned.

Create a Policy using Azure CLI

  1. Open the Azure CLI on your local machine and sign in to your Azure account using the following command:
az login

2. Create a JSON file with the policy definition. For example, let’s create a policy that restricts the creation of virtual machines with more than two data disks:

{
   "if": {
      "allOf": [
         {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
         },
         {
            "not": {
               "field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*]",
               "greaterOrEquals": 3
            }
         }
      ]
   },
   "then": {
      "effect": "deny"
   }
}

3. Use the following command to create the policy definition:

az policy definition create --name "restrict-vm-data-disks" --display-name "Restrict VMs with more than 2 data disks" --description "This policy restricts the creation of VMs with more than 2 data disks" --rules policy.json

Replace policy.json with the name of your JSON file.

Your policy definition is now created. Let’s move on to assigning the policy.

Assign a Policy using Azure Portal

  1. Click on “Assignments” from the left-hand side menu.
  2. Click on “Assign” and fill in the required fields such as name, scope, and policy definition.
  3. Click on “Review + create” and then click on “Create”.

Your policy is now assigned and ready to be enforced.

Assign a Policy using Azure CLI

  1. Use the following command to assign the policy to a resource group:
az policy assignment create --name "restrict-vm-data-disks-rg" --display-name "Restrict VMs with more than 2 data disks in RG" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name> --policy "restrict-vm-data-disks"

Replace <subscription-id> and <resource-group-name> with your subscription ID and resource group name respectively.

Your policy is now assigned and ready to be enforced.

Verify Policy Enforcement

To verify that the policy is being enforced, try to create a virtual machine with more than two data disks. You should receive an error message saying that the operation is not allowed by policy.

Congratulations! You have successfully created and assigned a policy using both Azure Portal and Azure CLI.