Azure Policy allows users to have Azure resources in compliance state. If you would like to know more about what Azure Policy is and how it works, please click into the hyperlink in the previous sentence. One of the common policies enterprises use is enforce every Azure resource to have tags. In this article, we would enforce Azure resources within certain Resource Group to have tags.
Azure Policy
Head to Azure portal, click on “All services” and search for “policy”.
Inside Policy tab, click on “Definitions” then search “tag” and you would find a built-in policy named “Require a tag on resource”.
Click on “Assign” and head to the next page.
At this page, you would need to define the scope the policy needs to be applied. For demonstration purpose, I chose my own subscription and the testing resource group.
After creation, you could head over into the resource group within scope and see whether you could create an Azure resource without providing tags. The expected behavior is that you would be denied for any deployment without tags.
We could apply the same policy to as many scopes as we like.
Azure Backup on Azure VM
The main purpose to write this article is to see whether we could restore all related resources back to assigned scope with Azure Policy enforcement. To do so, we would need to backup a VM.
Since we already have Azure Policy enforced in the resource group, we would need to create Recovery Services Vault (RSV) with tags separately to avoid hitting the rule. In Azure portal, click on “All services” and search for “Backup and Site Recovery”.
In the creation process, please remember to provide the tag name you assigned in the Azure Policy to this RSV.
Head over to the Azure VM that you would like to backup and select the RSV just created on the previous step with default backup policy or any policy you create.
After everything is set correctly, we should be seeing the panel below. At this moment, please select “Backup now” to start the 1st backup on this VM.
After the initial backup is completed, we should see a record showing as the orange highlight.
After seeing the record, click on “Restore VM”, select the “Restore point” and “Restore Type” as “Restore disks”.
Learn more about how to backup Azure VM with this link.
Restore to Azure Disks
When the restoring process starts, you would be redirecting to the following page and you would also be able to see notifications within the bell icon on the top right.
This could be also accessed through RSV, then “Backup Jobs” and the record of restoring.
After clicking on the record we need, we would be seeing there is an option on the top of “Deploy Template”.
Select “Edit template” on the top and copy the whole template out.
Learn more about how to restore VM back to disks with this link.
Use ARM Template to Restore Back to VM
After copying out the template, we could manually add the required tag name we set in Azure Policy into the content. Any additional information for adding tags on Azure resource could be found in this link.
Head to RSV, then “Backup Jobs” and the record of restoring.
After clicking on the record we need, we would be seeing there is an option on the top of “Deploy Template”.
Select “Edit template” on the top and copy the whole template out.
Replace the template with tags in the content, click “Save”. Back to the main page, select the correct “Resource Group”, give the restored VM a name and agree on the terms. Finally, click on “Purchase”.
If everything goes as expected, the deployment would not be denied because the tags are given to the template and the resource should be having them.
Click into the resource group we deploy the restored VM and we should see all associated resources are now being provisioned with the right tags.
This is the end of the article. By knowing this workaround, we could easily bypass many Azure service deployment that are being blocked because of dynamically-generated associated resources. Happy learning!