In the previous post: Getting started with Azure Arc for Servers, we've introduced Azure Arc and Azure Arc for Servers. In that post, we've connected an on-premises machine to Azure Arc. In this post, we are going to apply a policy to the on-premises machine, from the Azure portal using Azure Arc. First, lets start with a little background information about Azure Policy.
You can create policies to enforce different rules and effects over your resources, by using the Azure Policy service. By applying policies to your resources, they will stay compliant with your corporate standards and service level agreements. Azure Policy will assess the resources for non-compliance. You can use built-in policies that are already provided by Azure or you can create your own policies. This assessment is done by using the following features:
After this very brief introduction of Azure Policy, let's assign a policy to our on-premise machine from Azure Arc.
The first step, is to create a custom policy. The on-premises Windows Server VM is running Windows Server 2016. Let's create a policy that only allows Windows Server machines in the Resource Group that is used for our on-premises machines that are connected with Azure Arc. Therefore, we have to take the following steps:
"policyRule":
{ "if":
{ "allOf": [
{
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.Compute/VirtualMachineScaleSets"
]
},
{
"not": {
"field": "Microsoft.Compute/imagePublisher",
"in": "[parameters('listOfAllowedimagePublishers')]"
}
}
]
},
"then":
{ "effect": "deny"
}
}
},
{ "listOfAllowedimagePublishers": {
"type": "Array",
"metadata": {
"description": "The list of publishers to audit against. Example: 'MicrosoftWindowsServer'",
"displayName": "Allowed image publishers"
}
}
}
Now that we created a policy definition, we can assign in in Azure Arc.
To apply a policy to our on-premises machine in Azure Arc, you have to take the following steps:
We have now successfully applied a policy to an on-premises machine.
In this post, we created a custom policy and assigned to an on-premises machine that is connected to Azure Arc. We connected this machine in the previous post of this series: Getting started with Azure Arc for Servers
Assigning policies to machines is Azure Arc works perfectly and has the exact same experience as assigning them to Azure VMs. Although, I get the feeling that it takes a little bit more time to assess the machines connected to Azure Arc, then assessing VMs that are actually hosted in Azure. Which is quite logical in my opinion...
-Sjoukje
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.