Enforcing resources to have the same location as the containing resource group via Azure Policy

@20aman    Jun 12, 2021

In the previous post, we saw how to restrict the locations of resources and resource groups. You can view that post here: Enforcing location restrictions in your environment via Azure Policy . In this post, we will look at how to enforce the resources to adhere to the location of the containing resource groups. If a resource group is in the US East location then all the resources within that resource group can be enforced to be in the same location i.e. US East.

Implementing restrictions via Azure Policy

While trying to implement this restriction we need to consider the fact that the resource groups can only be in a geographical location while the resources have a special location called "global". So the restrictions will have:

  • The location field should be equal to the resource group's location. You can compare by using the function: resourceGroup().location
  • The location field can be equal to "global"

Policy sample:

{
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "notEquals": "[resourceGroup().location]"
          },
          {
            "field": "location",
            "notEquals": "global"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Note that the policy has negative conditions as the effect is denying the resource creation/update operation.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Location Restrictions.



  Azure    Azure   azure policies   azure policy   azurepolicies   custom policies   custompolicy   microsoft   microsoftazure   policies   policy  
View All Post
Comments powered by Disqus
Follow Me
Key Posts and Series
Latest Posts
Categories
Archives
Tags Cloud