Approved VM Extensions - mhughesinv/azuresecurity10 GitHub Wiki

Approved VM Extensions

In this lab, you will learn to use Azure Policy to do some of the more common tasks related to creating, assigning, and managing policies across your organization.

Exercise 1: Using Azure Policy

In this exercise, you will learn the basics of using Azure Policy. You will use a built-in policy to restrict which extensions can be deployed. You will then verify that the policy is working.

Task 1: Create an Azure Policy Assignment

In this task, you will first browse the built-in policy definitions using the Azure portal. You will then create a policy assignment using one of the built-in definitions to restrict which extensions can be used. This policy will be scoped to the Test-RG resource group.

  1. Log in to the Azure portal at https://portal.azure.com using your Azure subscription credentials.

  2. Open the Cloud Shell in PowerShell Mode and run the following command to create a Resource Group in the UK South region.

    New-AzResourceGroup -Name myResourceGroup -Location UKSouth

  1. In the Hub menu, click on All services. Enter Policy into the search box, and click on the Policy service.

  1. The Azure Policy blade will open. Click on Definitions to show the list of available policy definitions.

  1. Use the filters and search to find the policy definition called Only Approved VM Extensions should be Installed.

  1. Click Assign.

  1. Click the Elipsis (...) button and assign the policy to your Subscription and the Test-RG resource group. Then click Select.

  1. Click Next to proceed to the Parameters tab. In this tab you can provide values for parameters that are specified in the policy defintion. Enter AzureDiskEncryption

  1. Click Review + create, followed by Create to create the policy assignment.

  2. You will see a notification that the assignment was successful, and that the assignment will take around 30 minutes to complete.

    Note: The reason the Azure policy assignment takes up to 30 minutes to be assigned is that is has to replicate globally although in the real world it generally only takes 2 - 3 minutes to be implemented. If the next task fails, simply wait a few minutes and attempt the steps again.

Task 2: Verify the Azure Policy Assignment

In this task, you will verify that the policy assignment created in the previous task is effective by attempting to create a virtual machine and installing an unapproved VM extension.

Create virtual machines

  1. Select + Create a resource found on the upper left corner of the Azure portal.

  2. Select Compute, and then select Linux Ubuntu 18.04 LTS.

  3. Enter, or select, the following information, and accept the defaults for the remaining settings:

    Setting Value
    Subscription Select your subscription.
    Resource group Select create new .
    Name myVmTest
    Location Select East US.
    User name Enter a user name of your choosing.
    Password Enter a password of your choosing

  4. Select a size for the VM and then select Select.

  5. Access defaults for disks, management and networking

  6. Under Advanced, select Extensions and select Network Watcher for Linux.

  7. Select Review + Create at the bottom left corner, select Create to start VM deployment.

  1. Once you click create you will see a validation error