Create custom policy for Azure VM snapshot creation to be LRS only

Diwakar Ambi (Accenture) 0 Reputation points
2024-07-11T14:48:29.18+00:00

We are taking backup of snapshot of OS and data disk of Azure VMs on need basis. We want the snapshot to be taken only as Full snapshot and storage type as Standard LRS.

Could you kindly suggest how we can create a custom policy to have this governance in place.

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,287 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 12,491 Reputation points
    2024-07-11T17:26:35.8733333+00:00

    Hello Diwakar Ambi (Accenture),

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are asking for guidance on how to create a custom policy in Azure to enforce governance. Also, you would like to ensure that all snapshots taken of the operating system (OS) and data disks of these VMs are full snapshots and use Standard Locally Redundant Storage (LRS).

    Solution

    To create a custom Azure Policy that ensures snapshots of Azure VMs are taken as full snapshots and use Standard Locally Redundant Storage (LRS), you can define a policy definition that enforces these conditions.

    The first step is to:

    Create a Custom Policy Definition.

    User's image

    As seen in the above image: Go to the Azure Portal. Navigate to "Policy" from the left-hand menu > Expand the Authoring (If not expanded) > Click on "Definitions" and then Click "+ Policy definition" to create a new custom policy.

    Secondly, Define the Policy.

    User's image

    Provide the require parameters:

    • Name: Give your policy a name, for example, "Enforce Standard LRS for VM Snapshots".
    • Description: Provide a description of what the policy does.
    • Category: Choose an existing category or create a new one.

    https://learn.microsoft.com/learn/modules/build-cloud-governance-strategy-azure/?WT.mc_id=APC-Policy

    Thirdly, use the following JSON for the "Policy Rule" in the CODE BOX as seen in the image.

    {
      "properties": {
        "displayName": "Enforce Standard LRS for VM Snapshots",
        "policyType": "Custom",
        "mode": "All",
        "description": "This policy ensures that all VM snapshots are taken as full snapshots and use Standard LRS storage.",
        "metadata": {
          "category": "Compute"
        },
        "parameters": {},
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/snapshots"
              },
              {
                "field": "Microsoft.Compute/snapshots/creationType",
                "exists": "true"
              }
            ]
          },
          "then": {
            "effect": "AuditIfNotExists",
            "details": {
              "type": "Microsoft.Compute/snapshots",
              "name": "[field('name')]",
              "existenceCondition": {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/snapshots/storageAccountType",
                    "equals": "Standard_LRS"
                  },
                  {
                    "field": "Microsoft.Compute/snapshots/incremental",
                    "equals": "false"
                  }
                ]
              }
            }
          }
        }
      }
    }
    

    Fourth step is to: Click "Save" to create the policy definition.

    Lastly, assign the Policy.

    User's image

    As it shown in the image: Navigate to "Assignments" under the "Policy" section > Click "+ Assign policy" > In the "Basics" tab, select the scope (subscription or resource group) where you want to apply this policy. > In the "Policy definition" field, search for and select the custom policy you just created. > Configure any additional settings as needed and click "Review + create".

    NOTE:

    This policy will audit any snapshot that does not meet the specified criteria (full snapshot and Standard LRS). If you want to enforce this policy to deny the creation of non-compliant snapshots, you can change the effect in the policy rule from AuditIfNotExists to Deny.

    "then": {
      "effect": "Deny"
    }
    

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.