To give you a better understanding of the topic, we can take a look at various examples of policies you may use. There are many different kinds of available policies—let's try to describe the most interesting ones:
- Audit CORS resource access restrictions for a function app: When using Azure Functions, you may want to force developers to assign proper Cross-Origin Resource Sharing (CORS) configuration to function apps, so they are not accessible from all domains. A very simple and helpful policy that addresses a common security issue when hosting web applications.
- Audit resource location matches resource group location: To avoid confusion, you can ensure that resource groups and their resources are always provisioned in the same location.
- Audit unrestricted network access to storage accounts: If your storage accounts should not be available from the internet, you can enforce their owners to configure network rules so they are only accessible from configured networks.
- Not allowed resource types: Sometimes, your organization just cannot deploy some of the resources (for example, you need to audit the whole code base, so you cannot use Azure Functions). This policy is something you want when forbidding the use of a particular resource is essential.
When you assign any of the policies, it will immediately start to watch for your resources and check whether they are compliant with that policy.
Of course, the error displayed previously (see Figure 1.13) is in fact returned by an API powering Azure resources. That means that it will be returned also for other operations (such as using the command line or PowerShell).
The policy I described previously was executed during the creation of a resource, but of course, it also works for the resources created previously. Subscription policies are really powerful tools for an Azure administrator, allowing for setting strong fundamentals for further management activities such as automation and building an organization-wide mindset of what is allowed and what is not. The more resources your subscription has, the more difficult it is to manage and keep everything up to the defined rules. This is especially true for all companies for which compliance is crucial to work effectively—if you have thousands of VMs, app services, and storage accounts, you just cannot rely only on telling everyone that this one particular feature isn't allowed. For those scenarios, use properly set up policies, which can cover many different scenarios, especially if you create a custom one.
Check out the next section to learn more about ensuring proper policies are assigned to Azure resources using Azure Blueprints.
