Understanding exactly where your business resources and data sits within the cloud is an important part of your governance, control and your geo-compliance requirements. It can also assist with reducing latency if the regions are the closest to your end users.
This guide shows you how to implement Azure region policies to only allowing your resources to be deployed in UK locations.
Allowed Locations
Within your Subscription, select Settings > Assignments and then Assign Policy
Ensure the correct scope is selected then create a logical name
Under the policy definition, search for allowed locations as shown below;
Once this is added you will need to select the locations of your choice, for this example I have selected UK South and UK West
The policy should eventually look along the lines of;
To test that this policy is applying correctly, try to create a virtual machine in a region that was not selected earlier.
Once the incorrect region has been specified, an error message will be shown that the subscription doesn't support the virtual machine creation in the selected region.
Allowed Locations for Resource Groups
Staying at the subscription level, repeat the steps above but select the Policy Definition called "Allowed locations for resource groups"
Once applied attempt to create a new resource group not in your allowed group and you will see a similar message as above.
Once both have been created they should look similar to the following
To ensure certain administrators could not bypass this resource group by creating another resource group or turn off this policy definition, tiered administrator roles would have to be correctly setup and tested with appropriate level IAM policies.