Understanding exactly where your business resources and data sits within the cloud is an important part of your governance, control and your geo-compliance requirements. It can also assist with reducing latency if the regions are the closest to your end users.

This guide shows you how to implement Azure region policies to only allowing your resources to be deployed in UK locations.

Allowed Locations

This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements but does excluded resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.

Within your Subscription, select Settings > Assignments and then Assign Policy

Ensure the correct scope is selected then create a logical name

Under the policy definition, search for allowed locations as shown below;

Once this is added you will need to select the locations of your choice, for this example I have selected UK South and UK West

The policy should eventually look along the lines of;

To test that this policy is applying correctly, try to create a virtual machine in a region that was not selected earlier.

Once the incorrect region has been specified, an error message will be shown that the subscription doesn't support the virtual machine creation in the selected region.

Allowed Locations for Resource Groups

Staying at the subscription level, repeat the steps above but select the Policy Definition called "Allowed locations for resource groups"

Once applied attempt to create a new resource group not in your allowed group and you will see a similar message as above.

Once both have been created they should look similar to the following

To ensure certain administrators could not bypass this resource group by creating another resource group or turn off this policy definition, tiered administrator roles would have to be correctly setup and tested with appropriate level IAM policies.