If you're responsible for managing resources on Azure, a comprehensive understanding of Azure Policy is absolutely essential. Our focus today is on two facets of Azure Policy - exceptions and exemptions. These terms are often used interchangeably but have distinct differences in their usage.
Let's begin by understanding the fundamentals of Azure Policy.
Azure Policy is a service within Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects on your resources, ensuring they remain in compliance with your corporate standards and service level agreements. Azure Policy achieves this by conducting evaluations of your resources and identifying those that are non-compliant with the policies you've implemented.
Now, let's dive into the main topic: exceptions and exemptions.
Policy Exceptions
In the context of Azure Policy, an exception is a condition under which a normally applicable policy does not apply. This is typically defined within the policy definition itself. For example, you might have a policy that prevents the creation of certain types of resources, but you could define an exception for a specific resource group or resource type.
Here's an example of how to add an exception to an Azure policy using Azure PowerShell:
{
"properties": {
"displayName": "Audit for allowed locations",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionId}",
"parameters": {
"listOfAllowedLocations": {
"value": ["westus", "eastus"]
}
},
"scope": "/subscriptions/{subscriptionId}",
"notScopes": [
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}",
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup2}"
]
}
}
In this example, the "Audit for allowed locations" policy is assigned at the subscription scope but will not be enforced on resources in the resourceGroup1 and resourceGroup2 resource groups. The notScopes property is an array that can include multiple scopes.
Please replace {policyDefinitionId}, {subscriptionId}, {resourceGroup1}, and {resourceGroup2} with your actual values.
Note that the notScopes property applies to policy assignments, not the policy definitions themselves. This allows you to have different exceptions for different assignments of the same policy. However, it means to amend the exceptions the assignment has to be altered each tim.
Policy Exemptions
Exemptions, on the other hand, are a feature of Azure Policy that allows resources or resource groups to be excluded from policy enforcement. Unlike exceptions, which are defined in the policy itself, exemptions are separate objects that are applied to resources or resource groups after the policy is in place.
Here's fragment of an example of how to create a policy exemption using ARM template:
{
"type": "Microsoft.Authorization/policyExemptions",
"apiVersion": "2022-07-01-preview",
"name": "exemption",
"properties": {
"assignmentScopeValidation": "Default",
"description": "Exempt {resourceGroup1}",
"displayName": "Exemption for policy on {resourceGroup1}",
"exemptionCategory": "Waiver",
"expiresOn": "2023-05-23T12:00",
"policyAssignmentId": "Microsoft.Authorization/policyAssignments/{policyAssignmentName}"
}
}
Note this ARM template is applied at the resource group that is exempted, in this case {resourceGroup1}. To create another exemption for another resource group {resourceGroup2} w for example would mean applying it to {resourceGroup2 }.
The exemptionCategory property can have two possible values: 'Waiver' or 'Mitigated'. A 'Waiver' exemption is used when the policy is intentionally not applicable to a resource or set of resources. A 'Mitigated' exemption is used when the conditions of the policy have been satisfied by other means.
Exemptions can be a key part of managing Azure resources at scale, allowing you to enforce consistent policies while also allowing for necessary flexibility.
Comparing the Two
While both exceptions and exemptions offer ways to exclude resources from policy enforcement, they serve different purposes and are used in different contexts. Exceptions are a part of the policy definition and determine where the policy rule does not apply. Exemptions, on the other hand, are applied after a policy is in place and exclude specific resources or resource groups from the policy enforcement.
Reporting Differences
One key difference between exemptions and exceptions lies in how they are reported within Azure Policy's compliance data.
When you create an exemption, that exemption is reflected in Azure Policy's compliance data. The exempted resources are reported as "exempt" instead of "non-compliant". This makes it easy to distinguish between resources that are genuinely non-compliant and those that have been intentionally exempted from the policy.
On the other hand, exceptions do not alter the compliance state of a resource. Resources that match the conditions in the "if" block of the policy rule but are in the "notScopes" list are simply not evaluated against the policy. As such, they do not appear in the policy's compliance data at all.
This key difference can greatly affect how you manage your Azure resources and monitor compliance within your environment. If you want to explicitly track that a resource is non-compliant by design, you might choose to use an exemption. But if you simply want a resource to be ignored by a particular policy, an exception might be the better choice.
Why you might need a policy exception or exemption
There are various reasons why you might need an exception or exemption from an Azure Policy. It often depends on the specific circumstances of your project, infrastructure, or organisation's needs.
Policy exceptions can be beneficial when you want a policy to apply broadly across your Azure environment but need it to exclude certain resources based on specific conditions. For example, imagine you have a policy in place that restricts the creation of storage accounts to a specific SKU (Stock Keeping Unit). However, there may be a particular application in your environment that requires a different type of storage account to function optimally. In this case, you could add an exception to the policy for that specific application, allowing it to create the storage account type it needs while the rest of the environment continues to comply with the original policy.
Policy exemptions, on the other hand, are useful when you want a policy to apply to your entire Azure environment, but there are certain resources or resource groups that you want to exclude completely from the policy enforcement. For instance, suppose you have a policy that restricts the creation of virtual machines of a certain size for cost management reasons. However, your development team might be working on a project that requires testing on larger virtual machines for a limited period. In this scenario, you could create a policy exemption for the resource group containing the development team's resources. This would allow them to create larger virtual machines for their project while the rest of the Azure environment remains compliant with the original policy.
Understanding when to use policy exceptions and exemptions can provide you with greater flexibility in managing your Azure resources while ensuring compliance with your organisational standards and cost management strategies. Remember, effective use of Azure Policy is all about striking the right balance between enforcement and flexibility.
Conclusion
Azure Policy exceptions and exemptions are powerful tools that allow for nuanced policy management across a broad range of resources. By understanding and employing these features, you can ensure consistent policy application while maintaining the necessary flexibility. Whether you need to exclude a specific resource from a policy using an exception, or exempt a resource group from policy enforcement using an exemption, Azure Policy can accommodate your needs.
The differences in reporting between the two are also crucial for managing Azure resources and monitoring compliance effectively. With exemptions, the compliance data will show exempted resources as such, thereby distinguishing them from genuinely non-compliant resources. However, exceptions do not alter the compliance state of a resource. Resources under the "notScopes" list aren't evaluated against the policy and hence, they don't appear in the policy's compliance data.
In the world of Azure resource management, clear and effective policy creation is of paramount importance. However, equally critical is the knowledge of when and how to make exceptions and exemptions to those rules, as well as understanding their impact on policy compliance reporting.