As organizations of all sizes adopt the cloud, they must control resource configuration to meet corporate policies and satisfy governance requirements.

Today, we are pleased to announce the general availability of Resource Policies, powered by Azure Resource Manager.

Resource Policies allow you to define policy documents which govern acceptable resource configurations across Azure services and geographies. Based on your feedback, we added several new capabilities to enhance the power of Resource Policies.

Control resource SKUs

Since AzureCon, Azure Resource Policies have supported many facets, including tags, resource names, service types, and locations. We have also heard enterprise IT wants to restrict virtual machine images and SKUs to ensure security and control costs.

In the following example, we will restrict virtual machine SKUs to Standard_A0 or Standard_A1.

{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "not": { "field": "Microsoft.Compute/virtualMachines/sku.name", "in": [ "Standard_A0", "Standard_A1" ] } } ] }, "then": { "effect": "deny" } }

You can control SKUs for many resource types; more information can be found here.

Control VM images

Similar to SKUs, you can also implement policies to control VM image usage. Images for Azure VMs are defined by Publisher, Offer, SKU and Version.

The example below shows how to control acceptable VM publishers, so users can only provision VMs using canonical images:

{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "not": { "field": "Microsoft.Compute/virtualMachines/imagePublisher", "equals" : "Canonical" } } ] }, "then": { "effect": "deny" } }

Enforce default tags or properties

You can also ensure certain tags or properties are added to Azure Resources during the provisioning process. For example, if a “costCenter” tag isn’t specified, this policy will append a tag with a predefined value.

{

"if": {

"field": "tags",

"exists": "false"

},

"then": {

"effect": "append",

"details": [

{

"field": "tags",

"value": { "costCenter": "myDepartment" }

}

]

}

}

Alert on policy evaluation events

You can also define alert rules triggered by policy violations. Alerts can trigger email notifications or call a webhook. The PowerShell below defines an alert rule which is triggered when a policy denies user actions.

$action = New-AzureRmAlertRuleWebhook -ServiceUri "your web hook url" Add-AzureRmLogAlertRule -Name <alertrulename> -Location <location> -ResourceGroup <resourcegroupName> -OperationName Microsoft.Authorization/policies/deny/action -TargetResourceGroup <resourcegrouptomonitor> -Actions $action

To learn more about alert rules for policy violations, check out Ryan’s session from //Build.