How to Use Management Group Policies in Azure for the Cost-Saving?

Properly configuring management groups offers several advantages:

• It addresses the significant bills problems, resulting from human errors or infrastructure code that has configured overprovisioned and non-compliant resources.
• Automation of cost governance can be facilitated through the enforcement of specific Azure Group Policies, some of which are built-in, such as those regulating allowed VM size SKUs, and some are custom ones.

One particularly important policy is the tagging policy. Since tagging is essential for cost control, it is highly recommended to promptly implement the tagging policy to ensure that no new resources are created without proper tagging.

Policies prevent the creation of non-compliant resources or apply cost-related tags. They also track resource usage and generate significant optimization and/or cost control alerts.

With Azure Policy, you can prevent non-compliant resource creation, tag resources for cost identification, track usage, and trigger alerts upon reaching thresholds. This proactive approach empowers you to optimize resources and manage costs effectively.

Custom Policies

There are plenty of custom policies that can be defined. For instance, Azure Policy to audit unattached Public IPs; policy to use AHUB for cost savings; policy to enforce the use of LRS storage accounts; enforcing naming convention using Azure Policy, etc.

The policy can be assigned using the Policy resource, click on an assign tab, and fill in the details like in the following example:.

Built-in Policies

In addition to custom policies, there are built-in policies for cost savings.

Examples:

• Allowed VM SKUs: Specify allowed virtual machine SKUs to avoid expensive or unnecessary ones.
• Network interfaces should not have public IPs: Restricts creating public IPs unless explicitly allowed, reducing security risks and cloud spending.
• Require tag on resource: Enforce specific tags on resources for better tracking, categorization, and cost optimization.

You can load the existing policies by using the 3 dots button near Police definition section

Practical example:

Let's define the Policy, that restricts the sizes of VM.

1. In the Azure Portal, navigate to the "Azure Policy" service.
2. Click on "Definitions" and then select "+ Add a definition."
3. In the "Create a policy definition" form, provide the following information:
   • Name: Give your policy definition a descriptive name, e.g., "Restrict VM Sizes."
   • Description: Provide a brief description of the policy's purpose.
   • Category: Choose an appropriate category, such as "Compute."

For the policy rule, I used the following code:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "not": {
            "field": "Microsoft.Compute/virtualMachines/sku.name",
            "in": [
              "Standard_B1s",
              "Standard_B1ms"
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

Click "Review + create," and then click "Create" to create the policy definition.

Assign the Azure Policy

1. After creating the policy definition, go to "Policy assignments" in the Azure Policy service.
2. Click "+ Assign a policy."
3. In the "Assign a policy" form, provide the following information:
   • Scope: Choose the scope of your policy assignment (e.g., a specific resource group or your entire subscription).
   • Policy definition: Select the "Restrict VM Sizes" policy definition you created in Step 2.
   • Parameters: If you defined parameters in your policy, you can set them here.
4. Click "Review + create," and then click "Create" to assign the policy.

Observe Cost Savings

Now that you've assigned the policy, Azure will enforce the restriction on VM sizes. For example, if you specified in the policy that only "Standard_B1s" and "Standard_B1ms" VM sizes are allowed, any attempts to create or resize VMs to other sizes will be denied.

Then, if someone wants to create a new VM, it will show the applied policies. In this case, the unavailable by Policy restriction sizes will not be shown.

Using Policy compliance, we can take a look on non-compliant resources existing:

Business Outcome

• Scenario: Imagine your organization runs various workloads on Azure VMs, but due to lack of size restrictions, some developers and users opt for larger VM sizes than necessary.
• Outcome: By implementing Azure Policies that restrict VM sizes to, for example, "Standard_B1s" and "Standard_B1ms," users are compelled to choose smaller, more cost-effective VMs.
• Cost Savings Example: Let's say a "Standard_B1s" VM costs $8.20 per month, while a larger "Standard_D2s_v3" VM costs $82 per month. It is tens time more expensive! Even worse, imagine you have several of these VMs with unnecessary, more performant configuration.

Group Policies are significant means of saving budget. It ensures that there will not be noncompliant resources created, rather by script or manually, as we have seen in the practical example. It is important to specify the Group Policies at the beginning of the project process, to overcome the high cost of underused Azure resources at the end of the month.

To sum up, this article discusses the business benefits of cost-saving by using Azure Management Group Policies for cost savings. By enforcing Group Policies usage with built-in or custom configuration, organizations can achieve substantial savings while maintaining performance.