Apply policies to Windows VMs with Azure Resource Manager
Applies to: ✔️ Windows VMs ✔️ Flexible scale sets
By using policies, an organization can enforce various conventions and rules throughout the enterprise. Enforcement of the desired behavior can help mitigate risk while contributing to the success of the organization. In this article, we describe how you can use Azure Resource Manager policies to define the desired behavior for your organization’s Virtual Machines.
For an introduction to policies, see What is Azure Policy?.
Permitted Virtual Machines
To ensure that virtual machines for your organization are compatible with an application, you can restrict the permitted operating systems. In the following policy example, you allow only Windows Server 2012 R2 Datacenter Virtual Machines to be created:
{
"if": {
"allOf": [
{
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.Compute/VirtualMachineScaleSets"
]
},
{
"not": {
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"MicrosoftWindowsServer"
]
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"WindowsServer"
]
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"2012-R2-Datacenter"
]
},
{
"field": "Microsoft.Compute/imageVersion",
"in": [
"latest"
]
}
]
}
}
]
},
"then": {
"effect": "deny"
}
}
Use a wild card to modify the preceding policy to allow any Windows Server Datacenter image:
{
"field": "Microsoft.Compute/imageSku",
"like": "*Datacenter"
}
Use anyOf to modify the preceding policy to allow any Windows Server 2012 R2 Datacenter or higher image:
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSku",
"like": "2012-R2-Datacenter*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "2016-Datacenter*"
}
]
}
For information about policy fields, see Policy aliases.
Managed disks
To require the use of managed disks, use the following policy:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/osDisk.uri",
"exists": true
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachineScaleSets"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers",
"exists": true
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl",
"exists": true
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
}
Images for Virtual Machines
For security reasons, you can require that only approved custom images are deployed in your environment. You can specify either the resource group that contains the approved images, or the specific approved images.
The following example requires images from an approved resource group:
{
"if": {
"allOf": [
{
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.Compute/VirtualMachineScaleSets"
]
},
{
"not": {
"field": "Microsoft.Compute/imageId",
"contains": "resourceGroups/CustomImage"
}
}
]
},
"then": {
"effect": "deny"
}
}
The following example specifies the approved image IDs:
{
"field": "Microsoft.Compute/imageId",
"in": ["{imageId1}","{imageId2}"]
}
Virtual Machine extensions
You may want to forbid usage of certain types of extensions. For example, an extension may not be compatible with certain custom virtual machine images. The following example shows how to block a specific extension. It uses publisher and type to determine which extension to block.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines/extensions"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "{extension-type}"
}
]
},
"then": {
"effect": "deny"
}
}
Azure Hybrid Use Benefit
When you have an on-premises license, you can save the license fee on your virtual machines. When you don't have the license, you should forbid the option. The following policy forbids usage of Azure Hybrid Use Benefit (AHUB):
{
"if": {
"allOf": [
{
"field": "type",
"in":[ "Microsoft.Compute/virtualMachines","Microsoft.Compute/VirtualMachineScaleSets"]
},
{
"field": "Microsoft.Compute/licenseType",
"exists": true
}
]
},
"then": {
"effect": "deny"
}
}
Next steps
- After defining a policy rule (as shown in the preceding examples), you need to create the policy definition and assign it to a scope. The scope can be a subscription, resource group, or resource. To assign policies, see Use Azure portal to assign and manage resource policies, Use PowerShell to assign policies, or Use Azure CLI to assign policies.
- For an introduction to resource policies, see What is Azure Policy?.
- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see Azure enterprise scaffold - prescriptive subscription governance.
Povratne informacije
Pošalјite i prikažite povratne informacije za