December 31, 2019

In the previous post: Getting started with Azure Arc for Servers, we’ve introduced Azure Arc and Azure Arc for Servers. In that post, we’ve connected an on-premises machine to Azure Arc. In this post, we are going to apply a policy to the on-premises machine, from the Azure portal using Azure Arc. First, lets start with a little background information about Azure Policy.

 

Azure Policy

You can create policies to enforce different rules and effects over your resources, by using the Azure Policy service. By applying policies to your resources, they will stay compliant with your corporate standards and service level agreements. Azure Policy will assess the resources for non-compliance.  You can use built-in policies that are already provided by Azure or you can create your own policies. This assessment is done by using the following features:

  • Policy definition: First, you will create a policy definition. This consists of conditions under which it’s enforced, and the effect that takes place. Azure policy has a variety of built-in policies that you can use, such as an Allowed Location policy, an Allowed Virtual Machine SKUs policy, and more. For an overview of all the built-in policies, you can refer to the following GitHub repo: https://github.com/Azure/azure-policy. You can also create your own policy definitions. You can do this using JSON, in the Azure portal or by using PowerShell or the REST API.
  • Policy parameters: You can use parameters in your policy definition to reduce the number of policy definitions you must create. These parameters can be used to create more generic policies, which can be modified during assignment. This will give the ability to reuse policies in different scenarios. For example, you can create a location parameter, which can be filled in during assignment.
  • Policy assignment: When the policy definition is in place, either by selecting a built-in policy, or by creating a custom policy, it needs to be assigned. It needs to be assigned to a specific scope, which can be a Management Group or a Resource Group. All the resources in that scope will automatically inherit the policy assignment.

After this very brief introduction of Azure Policy, let’s assign a policy to our on-premise machine from Azure Arc.

 

Creating a custom policy in Azure

The first step, is to create a custom policy. The on-premises Windows Server VM is running Windows Server 2016. Let’s create a policy that only allows Windows Server machines in the Resource Group that is used for our on-premises machines that are connected with Azure Arc. Therefore, we have to take the following steps:

  • Navigate to the Azure portal: https://portal.azure.com/.
  • In the top search box, type Policy and select it.
  • In the left menu, click Definitions, and then in the top menu click + Policy Definition:
  • First, we need to specify a location to store the policy definition. Here, you select the subscription where the definition needs to be added.
  • Then give the Policy a name, such as Only Windows Server Allowed.
  • Create a new Category, named Azure Arc machines.
  • Then we need to add the JSON for the policy. Copy the below code into the Policy Rule field:
     "policyRule": {
             "if": {
                "allOf": [
                   {
                      "field": "type",
                      "in": [
                         "Microsoft.Compute/virtualMachines",
                         "Microsoft.Compute/VirtualMachineScaleSets"
                      ]
                   },
                   {
                      "not": {
                         "field": "Microsoft.Compute/imagePublisher",
                         "in": "[parameters('listOfAllowedimagePublishers')]"
                      }
                   }
                ]
             },
             "then": {
                "effect": "deny"
             }
          }
       },
       {
      "listOfAllowedimagePublishers": {
      "type": "Array",
      "metadata": {
              "description": "The list of publishers to audit against. Example: 'MicrosoftWindowsServer'",
              "displayName": "Allowed image publishers"
          }
       }
    }
  • The created policy will now look like the following image:
  • Click Save.

 

Now that we created a policy definition, we can assign in in Azure Arc.

 

Assigning policies in Azure Arc for Servers

To apply a policy to our on-premises machine in Azure Arc, you have to take the following steps:

  • Navigate to the Azure portal and type Azure Arc in the search box. Or you can launch https://aka.ms/hybridmachineportal.
  • Click on the on-premises machine that we added in the previous blog post: Getting started with Azure Arc for Servers:
  • In the overview blade of the VM, click Policies in the left menu. Then, in the top menu, click Assign policy:
  • In the assign policy blade, keep the default selected scope. This is the resource group where the on-premises machine is connected.
  • Click on Policy definition and select the Only Windows Server Allowed from the list.
  • The assignment will now look like the following image:
  • Click on the Parameters tab, and fill in MicrosoftWindowsServer:
  • Click Review + create and the Create.
  • The policy will now be added to the list and it will take some time before the assessment starts. You can click on the policy name to go to the assignment details:
  • When the assessment is finished, you will see that the machine is compliant, because it has Windows Server installed on it. This will look like the following image:

 

We have now successfully applied a policy to an on-premises machine.

 

Summary

In this post, we created a custom policy and assigned to an on-premises machine that is connected to Azure Arc. We connected this machine in the previous post of this series: Getting started with Azure Arc for Servers

Assigning policies to machines is Azure Arc works perfectly and has the exact same experience as assigning them to Azure VMs. Although, I get the feeling that it takes a little bit more time to assess the machines connected to Azure Arc, then assessing VMs that are actually hosted in Azure. Which is quite logical in my opinion…

 

-Sjoukje

Leave a Reply

Your email address will not be published. Required fields are marked *