Azure Policy for Managed Disks

Microsoft offers many useful built-in policies that are ready to use, but they may not always meet our specific needs or preferences. One example is managing disks – a custom policy for managed disks can help us optimize the performance, cost, and compliance of our Azure environment.

By default, Azure sets the disk to premium SSD, which may be more expensive than necessary. An effective way to use this policy is to allow only standard SSD/HDD in development and test environments, which can reduce costs in your environment.

This guide will show you how to create a custom policy for restricting the SKU and disk size within Azure.

 

Location

To begin, we need to go to: Azure Portal > Policy > Definitions > Policy definition.

 

Here, we create a new policy definition with the rules we want. In this case, we can use the following code:

 

 

The above policy definition specifies the rules and effects for creating disks in Azure.

  • The mode property specifies the scope of the policy evaluation;
  • The policy rule property defines the logic of the policy. In this case it consists of an if condition and a then effect;
  • The if condition evaluates a set of rules that must all be true for the policy to take effect;
  • The type of field of the resource must equal Microsoft.Compute/disks and the equals on the example above is for Standard_LRS disks.

This can be changed to the type of disk you want, for example, if you want to only allow standard SSDs you can change the value from Standard_LRS to Standard SSD_LRS, etc.

  • Finally, we have the effect, in the above script the effect is set to “deny”, in this case, if the disk is not a Standard_LRS the policy will not allow the VM to be created, this effect can be changed to “audit” for testing.

 

Now let us assume you wish to further limit the creation of disks by only allowing certain disk types and sizes for specific subscriptions, for which we can add another rule:

 

 

The above rule is a condition that checks the size of the disk in GB. It uses the not operator to negate the result of the inner condition. Thus, if the disk size is not 128, 256 or 512 GB the Policy will then deny the disks creation.

 

If we add both conditions to the same code, it will look like this:

 

 

The above code can have varied sizes depending on the type of disk. Below there is a link to the Microsoft documentation on disk type and size:

 

Conclusion

Congratulations! You can now understand more about Azure Policy for Managed Disks and are now able to use a custom policy for managing disk types and sizes in your Azure environment.

In this article, you learned how to enforce compliance and governance for managed disks by limiting the creation of virtual machines to specific sizes and types by utilizing a custom policy. This can help you clean, optimize, and save costs in your Azure environment.

To know more about this topic, contact the team here.