In medium to large deployments, you may want to create resource groups for some kinds of resources. For example, you can create a resource group for network resources while another resource group is used for virtual machines. This way of managing resources can be quite interesting, especially, for Role-Based Access Management (RBAC). In such an example, you can create a security group for network administrators and assign a contributor role to the network resource group.

In addition, we can enforce which kind of resource types can be deployed in the resource groups thanks to Azure Policy. The example above ensures that only specific network resource types can be deployed in the resource group. This allows you to manage the compliance of your deployments in your tenant.

In this topic, I’ll show you how to handle Azure Policy to allow only a certain resource type in resource groups.

Give network contributor permission to a group

For the purpose of this topic, I have created a security group called Network Administrators. Inside this group, I have a user called netadmins. Now that this group is created, I’ll assign network contributor role in the network resource group. To do that, navigate to your resource group used for network resources and select Access Control (IAM). Then navigate to role assignments and select add.

Microsoft Azure - Access Control (IAM)

Select Network Contributor role and select the group you want:

Microsoft Azure - Network Contributor

Assign Azure Policy

To manage Azure Policy, open Azure Portal and search for Policy. Then navigate to Definitions and search for Allowed resource. Select Allowed resource types.

Azure Portal - Policy - Allowed Resources

In the policy, click on Assign:

Azure Portal - Policy - Allowed Resource Types - Assign

In Scope, select the right subscription and the right resource group and then click on next:

Azure Portal - Policy - Allowed Resource Types - Scope

Select allowed resources in Microsoft.Network (if you want to only allow network resources):

Azure Portal - Policy - Allowed Resource Types - Parameters

Azure Policy takes effect only on newly created resources. That means that if for example VMs are created inside the resource group we are configuring, the VM will not be removed. However, you won’t be able to create anything else than network resources. Remediation can help you to solve the issues that may arise for the existing resource. For this example, I have created a new resource group, so I don’t have to configure remediation:

Azure Portal - Policy - Allowed Resource Types - Remediation

Next, you can add a message to help people understand why a resource is not compliant:

Azure Portal - Policy - Allowed Resource Types - Non-Compliance Messages

To finish the configuration, you can click on create to assign the policy:

Azure Portal - Policy - Allowed Resource Types - Review and Create

Now, in assignments, you should get the following information:

Azure Portal - Policy - Allowed Resource Types - Assignments

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

Test 1: Creation of a VM in the resource group with a tenant owner

To test the policy, I use my tenant owner user to try to create a VM in my network resource group:

Microsoft Azure - Creation of a VM in the resource group with a tenant owner

As you can see, all network resources have been created. However, the creation of the VM is forbidden:

Microsoft Azure - Creation of a VM is forbidden

Test 2: Create a virtual network with a network contributor

Now I use my netadmins account to create a virtual network in my resource group:

Microsoft Azure - Create a virtual network with a network contributor

The virtual network was well deployed. So my netadmins account can manage the network resources in this resource group.

Microsoft Azure - Create a virtual network with a network contributor - Deployed

Conclusion

Thanks to RBAC, you can configure which users can manage resources in subscription/resource groups/resources. But that doesn’t prevent “super users” with a lot of permissions to create resources where they want. To handle that, you can use Azure Policy to force the resource types you want in designated resource groups. Thanks to Azure Policy, you ensure the conformity of your deployments your established compliance standards.

Views All Time
6
Views Today
18
Back to blog
The following two tabs change content below.
Romain Serre
Romain Serre
Senior consultant at Exakis
Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).