Posted by Mike Racine
Implement Azure Policy To Keep Data In Your Country
With over 140 #Azure datacenters all around the world, what can we do to make sure our cloud resources don’t get deployed to the wrong place? In this episode of #KnowOps Dana shows how to use Azure Policy to keep your data and compute in your chosen country, where it belongs. Data sovereignty win!
Did you know that Microsoft now has over 54 Azure regions, more than any other cloud provider? This makes it much easier to keep your resources and data in your country. But by default, that isn't guaranteed. In this episode, let me show you how to implement Azure Policy to maintain data sovereignty when you need it.
Dana Epp here. Welcome to the channel that helps aspiring Azure administrators like you and me to know Ops and, well, master the Microsoft cloud. I'm glad you're here. If you haven't yet, please smash that Subscribe button so you can be notified when I release new videos each week.
So let me set the stage for you with a practical example. I'm working on a project here in Vancouver, British Columbia that must meet the regulations of the Personal Information Protection Act that was set by our privacy commissioner which means I need to keep my cloud here in Canada. I don't want compute or data anywhere else in the world. So let's jump into the Azure Portal and I'll set up an initiative to show you how to use Azure Policy to enforce that requirement.
Okay, so if you haven't yet, go jump into the Azure Portal and get logged in. Once you're there, I need you to go jump and start up Policy and there's two ways you can do that. Obviously, one is if you have it in the menu, you can just go straight into your Policy or if you don't have Policy already set as your favorite, just type Policy at the top there and get zipped over to the Azure Policy set. And I want you to go straight into the authoring definitions.
Now, here's an interesting thing. When setting up Azure Policy, it's very easy to take advantage of the built-in policies Microsoft has and just apply them, but I don't want you to do that. I want you to actually create initiatives anytime that you're thinking about assigning policy. And the reason for that is that when you're looking under the compliance blade, it gives you the ability to see groups of policies put together focused on an initiative. In this case, we wanna keep our compute in Canada. So in this scenario, I'm just gonna click on Initiative to the definition. And I can decide where I wanna apply it.
So in my case here, I already have a resource group that I've set up in one of my demo subscriptions called KnowOps Canada and I'm going to set this up in that demo subscription. The name for this initiative will be Keep compute in Canada. And when thinking about a category, you can always create your own but in this case here, because this is falling under the PIPA act that I have to deal with, I'm going to put it under Regulatory Compliance which is an existing category that Microsoft already has here. Of course, you can create your own if that's easier for you. And now, what I wanna do is I wanna assign policies to this initiative.
So Microsoft's already created several built-in ones and if I search for location, you can already see that there's one here called Allowed locations, another one called Allowed locations for resource groups. They are different so if you wanted to force everything in a subscription to go to the one place, you would wanna make sure both resource groups and the individual resources are there. And I'm gonna apply that to this policy because I'm making this more of a generic policy that can then be applied to other subscriptions in the future, which also means I'm gonna set these up with parameters.
So let's start with the resource groups. We will add this policy. And as we set it up here, you'll see here it gives us the option to say we can set values directly or I'm gonna say use an initiative parameter. That way, when we're assigning these, I can reuse this policy if I ever need to. And in this case, I can also optionally determine what parameters are allowed. So in my case here, I'm gonna say I'm only allowing Canada Central, Canada East, which are the two data centers that I wanna keep this stuff in. And then I'll do the same thing with the individual resources themselves. Same thing. Add the policy, set it up to use parameters, and we'll do this by this array of servers that we have authorized which, again, are those two Canadian data centers, and I'll hit Save.
And now, we've got this new initiative which is Keep compute in Canada and we've defined the location to be for this subscription. But of course, I couldn't set this up at a management group if I would've had that set up and then be able to apply it as required. In this case now, what I wanna do though is I want to apply this initiative directly to a resource group that I've created. So to do that, I go into Assignments and I say Assign initiative. And I determine my scope. So I could do this at the subscription which is right here, but in my case, I'm also going to then select KnowOpsCanada which is that resource group where we're going to be limiting this to so this policy will only apply to that resource group and that subscription, but anything going into that resource group must now, when we apply this, be required to be in Canada.
So the initiative I wanna apply to this would be Keep compute in Canada. I'm gonna need to set up the parameters which would be do I wanna force it to those two which I do. And that's about it. At this point, I have Policy enforcement to enabled. This has been assigned by me so I know when I'm reporting it, and now I should be able to review and create and I'll create this policy. So now that this policy's been created, in about 30 minutes, any time you go to try to create a resource in that resource group, it will instantly during the pre-check automatically tell you that it's not authorized to be created if it's not in Canada. Of course, for the essence of time here, I'm just going to purposely go create a resource and it may not succeed in validation but as soon as we actually to deploy it, it could fail.
So in my case, I happen to know that even though my subscriptions are Canadian and that even my billing is in Canada, by default, when I'm using the Azure Marketplace to deploy a new resource, the default configuration when I go and say in this case, select the resource group I'm deploying this to, I'm just going to create VM and we'll call it test. Notice how the region's already pre-selected it to the East US so if I wasn't paying attention, it would automatically deploy there and that's because that was the best region that Azure thinks it should be deployed to. In my case here, that's not what I want but I'm gonna purposely do this to show you how it will fail and be blocked by policy. Ooh, I guess I lucked out today. So with the policy already been set up, I can't create this resource. Like I said, sometimes when you apply a policy, it can take up to 30 minutes for it to work but we lucked out. This one got applied very quickly and as you can see, we can't go any further.
That's the whole point of using Azure Policy in this way. We can force the resources to be deployed directly by authorized regions only. So let's go and try to re-deploy this in Canada. Final validation succeeded and now I can create that resource.
So there ya go. It's NOT too difficult to implement Azure Policy to keep your data in compute where you want it and it helps you meet any compliance obligations you might have, which is an added benefit. What do you think? Will you look deeper into Azure Policy? I sure hope so, and I hope you found this useful. Let me know by hitting the Like button and if you haven't yet, smash the Subscribe button so you can be notified when I publish more videos. Until then, thanks for watching. We'll see ya in the next episode.
It's NOT too difficult to implement Azure Policy to keep your data & compute where you want it
Did you know that Microsoft now has over 54 Azure regions, more than any other cloud provider? #knowops @auditwolf