Open in app

Sign in

Write

Sign in

Azure Policy — allowed locations

Michal Molka
3 min readJul 19, 2024

--

When you manage a cloud environment you want to keep compliance and organizational standards. You can do it manually or use Azure Policy. Today I show you an example how to create one and how it behaves. Without any further ado. Let’s go to an Azure portal and create a policy.

Go to a Policy menu and hit Definitions.

There is a wide range of policies, e.g.:

  • Subnets should be associated with a Network Security Group,
  • Container registries should not allow unrestricted network access,
  • Event Hub namespaces should use private link,
  • … and a lot more.

In this case we create an Allowed locations policy. This particular policy checks whether a resource has been created or is being created in defined locations, e.g. West Europe, Central US, etc.

Next screen shows us a policy JSON definition. Hit Assign policy.

Define a scope for the policy. A subscription and a resource group.

Our policy restricts locations to West Europe. You can set it up at a Parameters step.

Go to a Review + create step and create the policy.

After the policy is created you can go back to a main Policies menu and look at the dashboard.

As you see. Under the policy created. We have 20 complaint resources and 1 non-complaint. Let’s go to details.

According to expectations, a resource is created in a different location. North Europe in this case.

Now, we can check out what happens when we try to create a resource in a different location than West Europe.

No surprises. We aren’t able to create a resource in another location.

Try to “hack the system out” and create a resource from Azure CLI.

az storage account create -n north0europe0storage-02 -g ******sd*-mm -l westus --sku Standard_LRS

The CLI greets us with a big red message that we violated the policy.

This example showed the policy with a DENY effect. Azure Policies have much richer set of effects like:

  • modify,
  • append,
  • deployIfNotExist,
  • auditIfNotExists,
  • etc.

You can check them out here: Azure Policy definitions effect basics — Azure Policy | Microsoft Learn

And here is a post about an Azure Blueprints where you can use policies: Azure Blueprint

Azure
Governance
Azure Policies

--

--

Michal Molka

Written by Michal Molka

285 Followers

Architect | Azure | Power BI | Fabric | Power Platform | Infrastructure | Security | M365

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams