How To Create Your Own Azure Custom Policy

Introduction

 
Before creating Azure custom policies, I want to explain a bit of background regarding the policies. It is an integral part of Azure governance so here the question comes what governance is. Azure governance is same like the other governance principals applied by our government and all the organization those wanted to implement their own policies in the organization in order to be compliant. Nowadays we have also heard about the word "GDPR" this is also the type of governance that has been imposed globally and it is related to personal data protection policies, so organizations that are dealing with any kind of personal data need to be compliant with this.
 
We talked too much about governance, let's come back to the Azure policies, these are the policies that can be implemented by the organizations on Azure subscriptions or management group level in order to secure the environment, meaning via Azure policies we can control the behavior of resource provisioning in Azure. Resources with undesired configuration can be denied by the policy or an additional resource/service can be deployed/audited by the policy. Some use cases for Azure policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
 
For e.g. suppose an XYZ organization that is operating only in Asia pacific and doesn't want to provide the resources in the US region. So by using an Azure policy we can restrict this behavior.
 

Types of policies

 
Basically, there are two types of policies available in Azure,
  1. Built-in
    These are pre-inbuilt policies that are provided by Microsoft and can be used as it is according to the requirement but cannot be altered.

  2. Custom
    These policies can be created by own as per our requirement and customized accordingly, here I will explain how to create a custom policy.

Type of Effects

 
As we all know and its name suggests, a policy is basically a kind of rule that has some effect if that particular rule is implemented. In the same way, the Azure policy also contains a Rule and Effect of that Rule after assigned.
 
There are some common effects that can be used while creation of a custom policy in Azure.
 
Deny
 
Deny Resource creation if the checked condition is true

Audit
 
Resource creation won't be denied but an alert will show the non-compliance of the resource

AuditIfNotExists
 
If the existing condition is true, resource compliant; if not, resource non-compliant. Resource creation won't be blocked

DeployIfNotExists
 
If the existing condition is true, no effect, no deployment; if the existence condition is false, effect activated, deployment of a right configuration or of a sub-resource.
 
Effects Categorization
  • Detection Effects - Audit , auditIfnotExists
  • Prevention Effects - Deny
  • Remediation effects - DeployIfnotExists
A policy can be implemented and deployed in two parts,
  1. Create the policy definition
  2. Assign the definition to a subscription/management group.
Let's see how a custom policy can be created using the Azure portal.
 
Steps
  1. Go to the portal and search for "Policy" in the marketplace then click on highlighted service.

    How To Create Own Azure Custom Policy

  2. Click on “definitions”.

    How To Create Own Azure Custom Policy
  3. Click on +Policy definition.

    How To Create Own Azure Custom Policy

  4. You can choose “definition location” either your subscription/management group and definition name, description, policy rule, and then click on “Save”.

    How To Create Own Azure Custom Policy
    How To Create Own Azure Custom Policy
    How To Create Own Azure Custom Policy
    1. {          
    2.     "mode""All",      
    3.     "policyRule": {      
    4.       "if": {      
    5.         "allOf": [      
    6.           {      
    7.             "field""type",      
    8.             "equals""Microsoft.Resources/subscriptions/resourceGroups"      
    9.           },      
    10.           {      
    11.             "field""[concat('tags[', parameters('tagName'), ']')]",      
    12.             "exists""false"      
    13.           }      
    14.         ]      
    15.       },      
    16.       "then": {      
    17.         "effect""deny"      
    18.       }      
    19.     },      
    20.   "parameters": {      
    21.       "tagName": {      
    22.         "type""String",      
    23.         "metadata": {      
    24.           "displayName""Tag Name",      
    25.           "description""Name of the tag, such as 'environment'"      
    26.         }      
    27.       }      
    28.     }      
    29. }     
  • After saving, go to the “definitions” section again and filter the policies by selecting “custom” from the Type dropdown.

    How To Create Own Azure Custom Policy

  • You will be able to view all your custom policies here,

    How To Create Own Azure Custom Policy

  • You need to click on the created policy, and it will redirect to the policy assignment page. Here you can review/edit/delete the policy definition if you want and in case everything looks fine then go ahead with the assignment.

    How To Create Own Azure Custom Policy

  • Now when you click on “Assign”, it will end up with the below screen. All the default values will be shown here, you can change the scope if you have multiple subscriptions and want to assign this policy to a different subscription than the selected one by clicking the "" launcher button. If everything looks fine then click Next.

    How To Create Own Azure Custom Policy

  • Since our policy requires a parameter so enter the TagName which will be mandatory for each resource group creation and click Next.

    How To Create Own Azure Custom Policy

  • We don’t have any remediation tasks as of now so go ahead with default.

    How To Create Own Azure Custom Policy
  • Here you can provide a user-friendly message of a non-compliant resource but it is optional. Click Next.

    Go to the “definitions” section again and filter the policies by select.

  • Click on “Create”.

    How To Create Own Azure Custom Policy

  • Policy deployment is successful but it takes around 30 minutes to take effect, so we will verify our custom policy after 30 minutes.

    How To Create Own Azure Custom Policy

  • You can go to the “Assignment” section and view our policy assignment in the assigned policies list.

    How To Create Own Azure Custom Policy

  • After waiting almost 30 min, let’s try to verify the policy effect. Let’s create a resource group.

    How To Create Own Azure Custom Policy

  • Enter the name of the resource group and click Next.

    How To Create Own Azure Custom Policy

  • Do not enter Tag under the “Tags” tab, click on the Next button.

    How To Create Own Azure Custom Policy

  • We can see that Validation is Passed but as soon as we click on “Create” the resource, it will be failed.

    How To Create Own Azure Custom Policy How To Create Own Azure Custom Policy

  • Now we go back to the “Tags” tab and enter a Tag Name and its Value. Resource Group will be created. Click on the Next button.

    How To Create Own Azure Custom Policy

  • Click on “Create”. We can see that deployment is successful.

    How To Create Own Azure Custom Policy

  • Go to resource Group to confirm, we can see that the new resource group “mytagspolicy_rg” has been created and the correct Tag has also been applied.

    How To Create Own Azure Custom Policy

Conclusion

 
We have successfully created a custom policy in Azure with Deny effect and are able to validate the effect in action. It is easy to create these policies and secure the environment against undesired configuration resource creation. It works well in big organizations that have a lot of subscriptions to manage the resource and governance.