Azure Policy built-in definitions for Azure Container Instances

This page is an index of Azure Policy built-in policy definitions for Azure Container Instances. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Container Instances

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
[Preview]: Container Instances should be Zone Aligned	Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone.	Audit, Deny, Disabled	1.0.0-preview
Azure Container Instance container group should deploy into a virtual network	Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other.	Audit, Disabled, Deny	2.0.0
Azure Container Instance container group should use customer-managed key for encryption	Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.	Audit, Disabled, Deny	1.0.0
Configure diagnostic settings for container groups to Log Analytics workspace	Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated.	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Configure diagnostics for container group to log analytics workspace	Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed.	Append, Disabled	1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0

Next steps

• See the built-ins on the Azure Policy GitHub repo.
• Review the Azure Policy definition structure.
• Review Understanding policy effects.