使用 Azure 资源管理器向 Windows VM 应用策略Apply policies to Windows VMs with Azure Resource Manager

通过使用策略,组织可以在整个企业中强制实施各种约定和规则。By using policies, an organization can enforce various conventions and rules throughout the enterprise. 强制实施所需行为有助于消除风险,同时为组织的成功做出贡献。Enforcement of the desired behavior can help mitigate risk while contributing to the success of the organization. 本文介绍如何使用 Azure 资源管理器策略,为组织中的虚拟机定义所需的行为。In this article, we describe how you can use Azure Resource Manager policies to define the desired behavior for your organization's Virtual Machines.

有关策略的简介,请参阅什么是 Azure Policy?For an introduction to policies, see What is Azure Policy?.

允许的虚拟机Permitted Virtual Machines

若要确保组织的虚拟机与应用程序兼容,可以限制获准操作系统。To ensure that virtual machines for your organization are compatible with an application, you can restrict the permitted operating systems. 在以下策略示例中,只允许创建 Windows Server 2012 R2 数据中心虚拟机:In the following policy example, you allow only Windows Server 2012 R2 Datacenter Virtual Machines to be created:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/VirtualMachineScaleSets"
        ]
      },
      {
        "not": {
          "allOf": [
            {
              "field": "Microsoft.Compute/imagePublisher",
              "in": [
                "MicrosoftWindowsServer"
              ]
            },
            {
              "field": "Microsoft.Compute/imageOffer",
              "in": [
                "WindowsServer"
              ]
            },
            {
              "field": "Microsoft.Compute/imageSku",
              "in": [
                "2012-R2-Datacenter"
              ]
            },
            {
              "field": "Microsoft.Compute/imageVersion",
              "in": [
                "latest"
              ]
            }
          ]
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

使用通配符将上述策略修改为允许任何 Windows Server Datacenter 映像:Use a wild card to modify the preceding policy to allow any Windows Server Datacenter image:

{
  "field": "Microsoft.Compute/imageSku",
  "like": "*Datacenter"
}

使用 anyOf 将上述策略修改为允许任何 Windows Server 2012 R2 Datacenter 或更高版本的映像:Use anyOf to modify the preceding policy to allow any Windows Server 2012 R2 Datacenter or higher image:

{
  "anyOf": [
    {
      "field": "Microsoft.Compute/imageSku",
      "like": "2012-R2-Datacenter*"
    },
    {
      "field": "Microsoft.Compute/imageSku",
      "like": "2016-Datacenter*"
    }
  ]
}

有关策略字段的信息,请参阅策略别名For information about policy fields, see Policy aliases.

托管磁盘Managed disks

如果需要使用托管磁盘,请使用以下策略:To require the use of managed disks, use the following policy:

{
  "if": {
    "anyOf": [
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/osDisk.uri",
            "exists": true
          }
        ]
      },
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/VirtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers",
                "exists": true
              },
              {
                "field": "Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl",
                "exists": true
              }
            ]
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

虚拟机映像Images for Virtual Machines

出于安全考虑,可要求仅在环境中部署已批准的自定义映像。For security reasons, you can require that only approved custom images are deployed in your environment. 可以指定包含已批准映像的资源组,或特定已批准映像。You can specify either the resource group that contains the approved images, or the specific approved images.

下例需要来自已批准资源组的映像:The following example requires images from an approved resource group:

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "in": [
                    "Microsoft.Compute/virtualMachines",
                    "Microsoft.Compute/VirtualMachineScaleSets"
                ]
            },
            {
                "not": {
                    "field": "Microsoft.Compute/imageId",
                    "contains": "resourceGroups/CustomImage"
                }
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
} 

下例指定已批准的映像 ID:The following example specifies the approved image IDs:

{
    "field": "Microsoft.Compute/imageId",
    "in": ["{imageId1}","{imageId2}"]
}

虚拟机扩展Virtual Machine extensions

可能想要禁止使用某些类型的扩展。You may want to forbid usage of certain types of extensions. 例如,扩展名可能与某些自定义虚拟机映像不兼容。For example, an extension may not be compatible with certain custom virtual machine images. 下例演示如何阻止特定扩展。The following example shows how to block a specific extension. 该示例使用发布者和类型来确定要阻止的扩展。It uses publisher and type to determine which extension to block.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines/extensions"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Compute"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "{extension-type}"

      }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

Azure 混合使用权益Azure Hybrid Use Benefit

如果有本地许可证,可在虚拟机上保存许可证费用。When you have an on-premises license, you can save the license fee on your virtual machines. 如果没有许可证,应禁用此选项。When you don't have the license, you should forbid the option. 以下策略禁止使用 Azure 混合使用权益 (AHUB):The following policy forbids usage of Azure Hybrid Use Benefit (AHUB):

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "in":[ "Microsoft.Compute/virtualMachines","Microsoft.Compute/VirtualMachineScaleSets"]
            },
            {
                "field": "Microsoft.Compute/licenseType",
                "exists": true
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

后续步骤Next steps