Azure Policy built-in definitions for Azure Container Instances
This page is an index of Azure Policy built-in policy definitions for Azure Container Instances. For more Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Container Instances
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Instances should be Zone Aligned | Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Audit, Disabled, Deny | 2.0.0 |
Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled, Deny | 1.0.0 |
Configure diagnostic settings for container groups to Log Analytics workspace | Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Configure diagnostics for container group to log analytics workspace | Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. | Append, Disabled | 1.0.0 |
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.