Enforcing location restrictions in your environment via Azure Policy

@20aman    Jun 04, 2021

You want to always deploy resources in a limited set of locations within Microsoft Azure that makes sense to your business. Usually, this decision is based on the following criteria:

  • The primary location within Azure that is closest to you
  • Optional - The location that provides the best cost for the Express Route, closest to you and based on your preferred provider
  • The secondary location that is usually a paired region for the primary location
  • Additional locations based on your extended offices or different geographical branches

Once you have defined the regions where your resources will be deployed, you want to lock this down via Azure policies so that even by accident, no one deploys resources to any other region. This helps with governance and supportability in the longer run. Let's look at how to apply this next. For this post, let's assume that the locations selected are East US and West US i.e. the resources can only be deployed within these two regions.

Location restrictions at the Resource Group level

For the resource group level you want to have the following conditions and then deny the operations if true:

  1. The type of the resource is the Resource Group
  2. The field for "location" is not in the allowed list of locations.

The "allOf" operator before all these conditions ensure that all the conditions should be met at the same time.

Policy sample:

{
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "location",
            "notIn": [
              "eastus",
              "westus"
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Location restrictions at the Resource level

The one main caveat with some resources is that they are not deployed in a specific geographic region. They have a special region named "global" where such resources are deployed. We will factor this into the list of allowed locations when defining the policy.

Also we don't need to specify the type, which ensures that this policy is applied to all resource types.

Policy sample:

{
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": [
            "eastus",
            "westus",
            "global"
          ]
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Additional considerations

You also want to sometimes restrict the resources to the location of the resource group where they are deployed. We will be looking at this in our next blog post.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Location Restrictions.





Comments powered by Disqus