Deploying Azure Resource Policies 2: Limit Azure Regions

This blogpost is the second blogpost of applying governance in Azure.

Many organizations that are moving to Azure would like to enforce data sovereignty and ensure that no resources can be deployed outside of the country. One of my customers needed to make sure that no Azure resources would be deployed outside of Australia. This can easily be achieved with Azure Resource Policies.

Just like in the first blogpost we need to create our Policy and then assign it.

First of all, we need to know the exact names of the Azure regions we want to allow. This can be achieved by running the following PowerShell cmdlet:

 

login-azurermaccount
Get-AzureRmLocation | Select Location, DisplayName

 

Create Azure Resource Policy:

The next step is to create a JSON Resource Policy that will deny the deployment of Azure Resources if it’s not deployed in Australia:

 

Assign Azure Resource Policy:

We will reuse our PowerShell deployment script from the first blogpost to assign the policy on the subscription level.

That’s it, mission accomplished!

Conclusion

After running the script and assigning the location policy you should see the following policy assigned to our subscription:

 

To test our new Azure Resource Policy lets deploy something in Canada.

As you can see the deployment is being blocked by our Policy!

In the next blog post we will use the same PowerShell script but create and assign a policy to enforce a naming convention. So stay tuned!