如果现有资源违反 Azure 政策,它会怎样?
What happens to existing resource if it violates Azure policy?
我对违反 Azure 策略的资源有疑问。假设在我的订阅中,我在英国西部有一个 VM,在英国南部有另一个 VM。如果我制定政策将 VM 限制在英国南部,那么英国西部的 VM 会怎样?它会变得无法使用还是会被迫迁移到英国南部或只是被报告为不合规?另外,对英国西部的新请求会发生什么情况,会被拒绝吗?
如果您在现有资源存在的情况下分配策略,如果您使用的是内置策略,默认情况下它们不会发生任何事情。
如果您从门户分配政策,您应该会看到以下声明:
By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources.
简而言之,英国西部的现有 VM 应标记为不合规,未来在英国南部以外的部署将被该政策阻止。
您可以在内置的 "Allow Locations" 政策中看到这一点:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
如果条件不满足,它只是执行Deny。当然,如果您使用自定义策略,也可能会执行其他操作。
我对违反 Azure 策略的资源有疑问。假设在我的订阅中,我在英国西部有一个 VM,在英国南部有另一个 VM。如果我制定政策将 VM 限制在英国南部,那么英国西部的 VM 会怎样?它会变得无法使用还是会被迫迁移到英国南部或只是被报告为不合规?另外,对英国西部的新请求会发生什么情况,会被拒绝吗?
如果您在现有资源存在的情况下分配策略,如果您使用的是内置策略,默认情况下它们不会发生任何事情。
如果您从门户分配政策,您应该会看到以下声明:
By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources.
简而言之,英国西部的现有 VM 应标记为不合规,未来在英国南部以外的部署将被该政策阻止。
您可以在内置的 "Allow Locations" 政策中看到这一点:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
如果条件不满足,它只是执行Deny。当然,如果您使用自定义策略,也可能会执行其他操作。