WEBVTT 0:00:03.500000 --> 0:00:08.680000 In this video, we're going to take a look at resource policies and initiatives 0:00:08.680000 --> 0:00:13.920000 in action. And we're going to look really just at demos. 0:00:13.920000 --> 0:00:17.460000 So the demos that we have, we're going to take a look at defining the 0:00:17.460000 --> 0:00:20.980000 policy. Also look at assigning a policy. 0:00:20.980000 --> 0:00:24.740000 Then we'll take a look at defining initiative and finally assigning an 0:00:24.740000 --> 0:00:29.900000 initiative. And I will say that if you are not familiar with these concepts, 0:00:29.900000 --> 0:00:33.360000 then it's definitely something that you're probably going to want to take 0:00:33.360000 --> 0:00:35.660000 a look at other videos so you get the basic concept. 0:00:35.660000 --> 0:00:37.800000 We're assuming that you have that concept here. 0:00:37.800000 --> 0:00:42.640000 And with that, let's go ahead and let's dive right into this. 0:00:42.640000 --> 0:00:52.400000 All right. My idea is that I want to create a new policy that is going 0:00:52.400000 --> 0:00:58.100000 to really be almost like a detailed role, but doing things I can't do 0:00:58.100000 --> 0:01:03.080000 with a role. And what I want to do is have a policy that would allow someone 0:01:03.080000 --> 0:01:07.900000 in a particular resource group to provision not only virtual machines, 0:01:07.900000 --> 0:01:10.920000 but also the other resources required. 0:01:10.920000 --> 0:01:14.240000 So things like a virtual network. 0:01:14.240000 --> 0:01:19.160000 And really just restrict that resource group or any resource group that 0:01:19.160000 --> 0:01:23.180000 this policy has applied to only being able to have those resources. 0:01:23.180000 --> 0:01:29.480000 But in addition to that, I also want to be able to restrict the specific 0:01:29.480000 --> 0:01:36.560000 types of virtual machines, sizes of virtual machines that can be created. 0:01:36.560000 --> 0:01:41.200000 Now for this, I've already created the policy file. 0:01:41.200000 --> 0:01:44.420000 Now the way I created this policy file is actually this one I created 0:01:44.420000 --> 0:01:48.760000 from scratch, but I've got a certain template that I typically use. 0:01:48.760000 --> 0:01:51.120000 And I'm going to show that to you. 0:01:51.120000 --> 0:01:54.860000 OK. And I'm going to show that to you once I stop flipping around. 0:01:54.860000 --> 0:01:58.560000 There we go. Let's go ahead and just pull up. 0:01:58.560000 --> 0:02:01.060000 Oh, it doesn't want to. 0:02:01.060000 --> 0:02:02.580000 Oh, that's because. 0:02:02.580000 --> 0:02:09.620000 There we go. There we go. 0:02:09.620000 --> 0:02:11.920000 Custom policy. Took me a little bit, but I got there. 0:02:11.920000 --> 0:02:14.540000 All right. We are going to pull that up. 0:02:14.540000 --> 0:02:17.300000 And this is a policy definition. 0:02:17.300000 --> 0:02:20.820000 Now I am going to go ahead and start out kind of looking at the highest 0:02:20.820000 --> 0:02:23.160000 level. This is just a JSON file. 0:02:23.160000 --> 0:02:25.260000 It's got the two key elements of JSON file. 0:02:25.260000 --> 0:02:27.420000 It's got the if and the then. 0:02:27.420000 --> 0:02:33.620000 And the two key elements, I should say, of a policy, the if and the then. 0:02:33.620000 --> 0:02:36.720000 All right. And then within the if, this is where if you haven't done this, 0:02:36.720000 --> 0:02:38.360000 it can get a little bit complex. 0:02:38.360000 --> 0:02:42.780000 And what I do is I really have a template that I use for any custom policy. 0:02:42.780000 --> 0:02:45.140000 And then I'll take that template and I'll kind of modify it because it 0:02:45.140000 --> 0:02:48.280000 has things set up pretty much the way that I want. 0:02:48.280000 --> 0:02:52.120000 And what you'll notice is under the if I've got this any of conditions. 0:02:52.120000 --> 0:02:57.200000 So that means if any of the following conditions apply, then it's going 0:02:57.200000 --> 0:02:58.740000 to trigger this policy. 0:02:58.740000 --> 0:03:01.500000 And the first condition I have is a not. 0:03:01.500000 --> 0:03:04.300000 So I have not field type. 0:03:04.300000 --> 0:03:09.620000 So if the field is not, if the type is not one of these. 0:03:09.620000 --> 0:03:14.220000 So virtual machines, disks, virtual networks, public IPs, network interfaces, 0:03:14.220000 --> 0:03:15.840000 or network security groups. 0:03:15.840000 --> 0:03:17.820000 Then it's going to trigger. 0:03:17.820000 --> 0:03:22.860000 Also, I've got all of type virtual machines. 0:03:22.860000 --> 0:03:26.700000 If the virtual machine skew name. 0:03:26.700000 --> 0:03:34.920000 So if this is a virtual machine and the skew name is not in standard D2, 0:03:34.920000 --> 0:03:41.820000 V3, D4, SV3, or D2, SV3, then it's going to trigger the action. 0:03:41.820000 --> 0:03:45.860000 And in this case, the action is to deny. 0:03:45.860000 --> 0:03:49.500000 So again, the logic's a little bit almost backwards when you really think 0:03:49.500000 --> 0:03:55.980000 about it. What I'm really saying is I want to allow these resources and 0:03:55.980000 --> 0:04:02.500000 these virtual machine sizes wherever this policy is generated. 0:04:02.500000 --> 0:04:06.360000 But I kind of have to go a little bit backwards to get there. 0:04:06.360000 --> 0:04:09.060000 So that is a policy definition file. 0:04:09.060000 --> 0:04:13.140000 Notice the only thing that is specified within the policy definition is 0:04:13.140000 --> 0:04:14.760000 the actual rule, the if then. 0:04:14.760000 --> 0:04:17.140000 There are other elements of the policy definition. 0:04:17.140000 --> 0:04:21.680000 They are defined when you provision the policy definition itself. 0:04:21.680000 --> 0:04:30.560000 So I'm going to go ahead and create a new AZ policy definition. 0:04:30.560000 --> 0:04:39.180000 And I'm going to give it a name and the name is going to be VM policy. 0:04:39.180000 --> 0:04:46.240000 And the display name, going to be very cleverly VM policy. 0:04:46.240000 --> 0:04:51.760000 Should have a better display name than that, by the way. 0:04:51.760000 --> 0:04:58.880000 Or at least a better description, although for the sake of you not having 0:04:58.880000 --> 0:05:04.260000 to sit here watching me do this, VM policy and then the actual policy. 0:05:04.260000 --> 0:05:07.180000 But I'm not going to put the policy in there yet. 0:05:07.180000 --> 0:05:10.760000 I'm going to go and put the mode. 0:05:10.760000 --> 0:05:19.300000 And the mode will set to all the policy. 0:05:19.300000 --> 0:05:22.240000 It's set to be custom policy. 0:05:22.240000 --> 0:05:25.460000 Should be good. And there we go. 0:05:25.460000 --> 0:05:32.780000 Now I didn't specify the resource or the subscription ID, nor did I specify 0:05:32.780000 --> 0:05:41.860000 a management group ID, so just put it in my default connected subscription. 0:05:41.860000 --> 0:05:43.600000 Now I need to assign it. 0:05:43.600000 --> 0:05:48.280000 And I could do that from the command line, but let's go ahead and let's 0:05:48.280000 --> 0:05:49.560000 do this from a resource group. 0:05:49.560000 --> 0:05:52.100000 I'm going to create a new resource group. 0:05:52.100000 --> 0:05:55.840000 I'm going to do this from a resource group. 0:05:55.840000 --> 0:05:58.300000 In a resource group from the portal. 0:05:58.300000 --> 0:06:06.980000 I'm going to go and create policy. 0:06:06.980000 --> 0:06:10.060000 It's in East US. 0:06:10.060000 --> 0:06:16.700000 And create my resource group, which thankfully happens very quickly. 0:06:16.700000 --> 0:06:21.980000 Now what I want to do is I want to apply that policy. 0:06:21.980000 --> 0:06:27.800000 So I'm going to go into policy and I'm going to assign policy. 0:06:27.800000 --> 0:06:33.860000 Now the scope, that's going to be my resource group. 0:06:33.860000 --> 0:06:36.100000 I'm not going to have any exclusions. 0:06:36.100000 --> 0:06:38.900000 I do need a policy definition. 0:06:38.900000 --> 0:06:45.280000 So we're going to go over here and look at custom and I only have two 0:06:45.280000 --> 0:06:48.660000 custom. There's my VM policy. 0:06:48.660000 --> 0:07:00.380000 Let's select that and actually put in a description here. 0:07:00.380000 --> 0:07:05.960000 It should be related resources. 0:07:05.960000 --> 0:07:13.280000 VMs with specific sizes. 0:07:13.280000 --> 0:07:16.060000 There we go. And I'm going to enable that. 0:07:16.060000 --> 0:07:21.880000 So we'll go ahead and review and create and create. 0:07:21.880000 --> 0:07:26.160000 So now I've got the policy assignment and it pulls up and shows me all 0:07:26.160000 --> 0:07:28.240000 the policy assignments that are here. 0:07:28.240000 --> 0:07:36.780000 VM policy. And what I'm going to do is I am going to go ahead now and 0:07:36.780000 --> 0:07:38.380000 try to add a virtual machine. 0:07:38.380000 --> 0:07:41.380000 I'll just add a Ubuntu server. 0:07:41.380000 --> 0:07:48.000000 Create. Virtual machine name. 0:07:48.000000 --> 0:07:54.800000 Ubuntu. I always type Ubuntu for some reason. 0:07:54.800000 --> 0:07:56.780000 I'm not sure why I do that. 0:07:56.780000 --> 0:08:05.620000 Ubuntu VM. Put this in the east. 0:08:05.620000 --> 0:08:09.180000 Right now, size is D2S V3. 0:08:09.180000 --> 0:08:14.520000 It should be on my list of accepted sizes. 0:08:14.520000 --> 0:08:32.420000 All right. And then I'm going to go to just review and create. 0:08:32.420000 --> 0:08:37.820000 All right. Now this says that my validation passed. 0:08:37.820000 --> 0:08:41.880000 Now this actually should fail. 0:08:41.880000 --> 0:08:44.780000 This validation pass is not always perfect. 0:08:44.780000 --> 0:08:48.860000 And the reason why you should fail is because my diagnosis storage accounts 0:08:48.860000 --> 0:08:51.020000 is going to try and create a new one. 0:08:51.020000 --> 0:08:55.920000 And you can't create a storage account in this resource group based on 0:08:55.920000 --> 0:08:58.380000 that policy. Now I'm going to fix that. 0:08:58.380000 --> 0:08:59.720000 I'm going to show you. 0:08:59.720000 --> 0:09:01.820000 Oh, that was a shame. 0:09:01.820000 --> 0:09:02.800000 Went too far back. 0:09:02.800000 --> 0:09:04.860000 Now we're going to have to go and do this whole thing again. 0:09:04.860000 --> 0:09:06.400000 Sorry about that. 0:09:06.400000 --> 0:09:12.680000 Ubuntu. Dash VM. 0:09:12.680000 --> 0:09:22.340000 And this time, I'm going to set it to a different size. 0:09:22.340000 --> 0:09:27.680000 Set up here to also a D8S V3. 0:09:27.680000 --> 0:09:45.940000 And password. There we go. 0:09:45.940000 --> 0:09:51.340000 All right. Now I'm going to go ahead and go directly to the view and create 0:09:51.340000 --> 0:09:53.740000 again, review and create. 0:09:53.740000 --> 0:09:58.480000 All right. Now again, this is saying that the validation passed. 0:09:58.480000 --> 0:10:02.300000 And I'm going to go ahead and try to create this now. 0:10:02.300000 --> 0:10:20.020000 All right. And you can go in and get the details of that policy. 0:10:20.020000 --> 0:10:24.660000 Now what I'm going to do is go ahead and quickly deploy a resource that's 0:10:24.660000 --> 0:10:27.700000 going to work. All right. 0:10:27.700000 --> 0:10:31.560000 So we'll put it back to our policy. 0:10:31.560000 --> 0:10:39.640000 Give it a name, location. 0:10:39.640000 --> 0:10:49.560000 I'm going to leave it the D2S V3. 0:10:49.560000 --> 0:10:54.980000 And I am going to go this time to management. 0:10:54.980000 --> 0:10:57.320000 And I'm going to turn off boot diagnostics. 0:10:57.320000 --> 0:11:01.360000 That way I don't need a storage account. 0:11:01.360000 --> 0:11:04.500000 And I'm not saying it's a great idea to turn off boot diagnostics. 0:11:04.500000 --> 0:11:08.480000 I'm just saying I've run this demo before and I know that if I try to 0:11:08.480000 --> 0:11:10.060000 create the storage account, it fails. 0:11:10.060000 --> 0:11:12.780000 All right. Now I'm going to go ahead and hit create. 0:11:12.780000 --> 0:11:15.200000 And when this is done, when this is done, it should work. 0:11:15.200000 --> 0:11:17.760000 We'll come back out and make sure that it did. 0:11:17.760000 --> 0:11:29.840000 All right. That worked. 0:11:29.840000 --> 0:11:30.900000 And I can go to the resource. 0:11:30.900000 --> 0:11:33.080000 You can see that the deployment is complete. 0:11:33.080000 --> 0:11:36.540000 But just to make sure you trust me, there's my Ubuntu to VM. 0:11:36.540000 --> 0:11:41.360000 And it has deployed into my resource group. 0:11:41.360000 --> 0:11:45.320000 Now the next thing that I'm going to do is I'm really going to do have 0:11:45.320000 --> 0:11:46.320000 the same end result. 0:11:46.320000 --> 0:11:48.300000 But I'm going to go about it in a different way. 0:11:48.300000 --> 0:11:52.700000 I am going to create a new initiative. 0:11:52.700000 --> 0:11:57.540000 And to do that, I'm actually going to go to the policy blade. 0:11:57.540000 --> 0:11:59.700000 And this, of course, can be done from the command line as well. 0:11:59.700000 --> 0:12:06.220000 All right. Here I've got policies that really is kind of interesting. 0:12:06.220000 --> 0:12:09.740000 I've got policies that have been created. 0:12:09.740000 --> 0:12:11.020000 I can view the policies. 0:12:11.020000 --> 0:12:14.080000 I can view the assignments of them. 0:12:14.080000 --> 0:12:22.020000 I can see how much they've been adhered to or how compliance is, et cetera. 0:12:22.020000 --> 0:12:25.520000 All right. I can also click over here to definitions. 0:12:25.520000 --> 0:12:32.060000 And I can see the definitions of all of the policies, although most of 0:12:32.060000 --> 0:12:35.520000 what I see here are actually initiatives. 0:12:35.520000 --> 0:12:37.900000 I don't know. Most is probably not the right way to put it. 0:12:37.900000 --> 0:12:41.820000 But a lot of initiatives and a lot of policies. 0:12:41.820000 --> 0:12:45.100000 And by the way, I can go view custom policies. 0:12:45.100000 --> 0:12:47.100000 There's my custom policies. 0:12:47.100000 --> 0:12:48.440000 But I don't want to view custom. 0:12:48.440000 --> 0:12:49.500000 I want all types. 0:12:49.500000 --> 0:12:54.600000 Now, what I want to do is rather than creating a policy that really does 0:12:54.600000 --> 0:13:00.980000 two different things, it controls the types of resources that can be generated 0:13:00.980000 --> 0:13:05.540000 or provisioned as well as the size of the virtual machines. 0:13:05.540000 --> 0:13:08.600000 As it turns out, I happen to know that there are policy definitions that 0:13:08.600000 --> 0:13:10.540000 do each one of those individually. 0:13:10.540000 --> 0:13:15.920000 What I want to do is create an initiative that combines both and actually 0:13:15.920000 --> 0:13:19.160000 gives me some flexibility in the way that it's applied through the use 0:13:19.160000 --> 0:13:22.560000 of parameters. So I'm going to go ahead and do this. 0:13:22.560000 --> 0:13:24.100000 And I'm going to do it graphically. 0:13:24.100000 --> 0:13:28.040000 I'm going to create a definition and I'm going to put that definition 0:13:28.040000 --> 0:13:36.780000 into my demonstrations. 0:13:36.780000 --> 0:13:41.260000 Select that. I'm going to give this a name. 0:13:41.260000 --> 0:13:56.140000 And this is going to be VM restrictions, initiative. 0:13:56.140000 --> 0:14:11.980000 Allow specific sizes for VMs and restrict to VMs and related resources. 0:14:11.980000 --> 0:14:14.500000 That you wish I had copied that and pasted it. 0:14:14.500000 --> 0:14:18.800000 Now, I can put this in a category and you can create your own category. 0:14:18.800000 --> 0:14:22.440000 This doesn't do anything other than you see quite a number of these and 0:14:22.440000 --> 0:14:28.400000 it makes it a little bit easier to manage than any policies. 0:14:28.400000 --> 0:14:32.600000 Now, I'm going to go and add the definitions. 0:14:32.600000 --> 0:14:38.520000 And what I want to do is I want to type in the word type. 0:14:38.520000 --> 0:14:43.440000 And I have these different definitions that are available. 0:14:43.440000 --> 0:14:45.260000 This is a built in, a load resource type. 0:14:45.260000 --> 0:14:46.640000 That sounds perfect. 0:14:46.640000 --> 0:14:48.260000 I'm going to add that. 0:14:48.260000 --> 0:14:54.440000 I also want to be able to restrict size, but I don't restrict size. 0:14:54.440000 --> 0:15:01.980000 I restrict SKU. Usually if it's actually spelled correctly. 0:15:01.980000 --> 0:15:06.020000 There we go. And I've got a loud storage account SKUs, a loud virtual 0:15:06.020000 --> 0:15:10.220000 machine SKUs, and VPN8 Gateway should not use the basic SKU. 0:15:10.220000 --> 0:15:13.640000 But I want a loud virtual machine SKUs. 0:15:13.640000 --> 0:15:16.480000 And this is now my initiative. 0:15:16.480000 --> 0:15:21.620000 I have an initiative that is a combination of two different policies. 0:15:21.620000 --> 0:15:26.300000 One to restrict type and the other to restrict SKU. 0:15:26.300000 --> 0:15:32.000000 And what I can do is I've got a loud resource types. 0:15:32.000000 --> 0:15:35.700000 That is a parameter from the, well, a loud resource types. 0:15:35.700000 --> 0:15:39.420000 And I have the choice of either setting the value or using an initiative 0:15:39.420000 --> 0:15:49.220000 parameter. I'm going to set the value and I am going to select specific, 0:15:49.220000 --> 0:15:56.360000 it's going to let me, there we go. 0:15:56.360000 --> 0:16:03.800000 And Microsoft Compute, oh, I actually need to say virtual machines. 0:16:03.800000 --> 0:16:09.840000 I'm Microsoft Compute. 0:16:09.840000 --> 0:16:12.860000 And select virtual machines. 0:16:12.860000 --> 0:16:16.720000 And in addition to virtual machines. 0:16:16.720000 --> 0:16:19.860000 Also, if you look up here, these are what? 0:16:19.860000 --> 0:16:21.940000 Microsoft.networking. 0:16:21.940000 --> 0:16:27.880000 And I want within that, of course, virtual network. 0:16:27.880000 --> 0:16:30.780000 Somewhere down here. 0:16:30.780000 --> 0:16:36.400000 There we go. Virtual networks and subnets. 0:16:36.400000 --> 0:16:39.460000 Right. I'm not going to do all of these because this is going to just 0:16:39.460000 --> 0:16:41.460000 take forever, but you get the idea. 0:16:41.460000 --> 0:16:45.440000 And then I can go and find managed disks and public IP addresses and everything 0:16:45.440000 --> 0:16:46.780000 else that I need. 0:16:46.780000 --> 0:16:48.880000 We'll just select those three. 0:16:48.880000 --> 0:16:52.880000 Then I've got a loud virtual machine SKUs. 0:16:52.880000 --> 0:16:54.860000 What are the allowed SKUs? 0:16:54.860000 --> 0:17:00.680000 I can set the value or I can use an initiative parameter. 0:17:00.680000 --> 0:17:03.480000 And this is going to be the allowed SKUs. 0:17:03.480000 --> 0:17:07.660000 And what I can do is I can actually pull that down a bit. 0:17:07.660000 --> 0:17:11.840000 So I can say, okay, I only want certain SKUs to be selectable. 0:17:11.840000 --> 0:17:21.520000 And let's say choose any one of these when you apply the initiative. 0:17:21.520000 --> 0:17:24.540000 Remember, this is not, that's plenty. 0:17:24.540000 --> 0:17:25.480000 It's kind of random. 0:17:25.480000 --> 0:17:30.680000 This is not setting which ones are going to be actually managed or allowed 0:17:30.680000 --> 0:17:33.160000 by this initiative when it's applied. 0:17:33.160000 --> 0:17:36.880000 These are just the ones that are going to be available when somebody applies 0:17:36.880000 --> 0:17:38.740000 the initiative, which can be a little bit confusing. 0:17:38.740000 --> 0:17:40.060000 So I'm going to show you that. 0:17:40.060000 --> 0:17:41.580000 I'm going to go ahead and save this. 0:17:41.580000 --> 0:17:44.200000 Now, I will tell you, I cheated a little bit there. 0:17:44.200000 --> 0:17:47.020000 I didn't put in everything because it just takes a while to go through 0:17:47.020000 --> 0:17:49.740000 that list and pick the appropriate items. 0:17:49.740000 --> 0:17:52.880000 So I'm going to apply it, but then it would be very difficult to actually 0:17:52.880000 --> 0:17:54.600000 create something. 0:17:54.600000 --> 0:17:57.360000 Well, actually I can create a virtual network, but I can't create a virtual 0:17:57.360000 --> 0:17:59.460000 machine because I didn't give everything. 0:17:59.460000 --> 0:18:03.440000 I didn't allow everything that would be required for a virtual machine. 0:18:03.440000 --> 0:18:08.060000 So let's go in and let's create a new resource group. 0:18:08.060000 --> 0:18:18.740000 Five oh nine initiative. 0:18:18.740000 --> 0:18:26.960000 Create that. Go to that. 0:18:26.960000 --> 0:18:30.980000 And then I'm going to go down to policies. 0:18:30.980000 --> 0:18:37.460000 And I am going to this time assign an initiative. 0:18:37.460000 --> 0:18:39.780000 I've got the scope. 0:18:39.780000 --> 0:18:42.800000 Initiative definition. 0:18:42.800000 --> 0:18:52.180000 VM restrictions initiative. 0:18:52.180000 --> 0:18:54.020000 Not going to give it a description this time. 0:18:54.020000 --> 0:18:55.740000 I'm just going to get this done. 0:18:55.740000 --> 0:18:59.900000 Assignment name, VM description. 0:18:59.900000 --> 0:19:00.920000 Oh, not going to just hit it. 0:19:00.920000 --> 0:19:02.320000 I need parameters. 0:19:02.320000 --> 0:19:08.740000 Now I have parameters here because I love these are all of the possible 0:19:08.740000 --> 0:19:14.120000 sizes. And I would go and pick the ones that I want to allow. 0:19:14.120000 --> 0:19:17.840000 Just kind of a random smattering of those. 0:19:17.840000 --> 0:19:23.980000 Then I can take quick remediation in order to remediate you would have 0:19:23.980000 --> 0:19:27.460000 a managed identity and many other things which we're not going to do. 0:19:27.460000 --> 0:19:33.180000 I'll go ahead and create the assignment. 0:19:33.180000 --> 0:19:34.280000 And there we go. 0:19:34.280000 --> 0:19:40.740000 That initiative has now been assigned to this resource group. 0:19:40.740000 --> 0:19:43.480000 And go back to the resource group. 0:19:43.480000 --> 0:19:47.660000 If I try and add something that is not on the list. 0:19:47.660000 --> 0:19:49.540000 So let's say for example. 0:19:49.540000 --> 0:19:53.640000 Storage account. 0:19:53.640000 --> 0:19:59.080000 And create that. 0:19:59.080000 --> 0:20:08.440000 And review and create. 0:20:08.440000 --> 0:20:11.500000 When I try to create that it's going to look like it's going to create 0:20:11.500000 --> 0:20:14.040000 and it's going to fail. 0:20:14.040000 --> 0:20:25.040000 Alright, as you can see as one would expect that failed because it was 0:20:25.040000 --> 0:20:27.660000 disallowed by the policy. 0:20:27.660000 --> 0:20:32.120000 Now if I try to create another resource that happens to be there for example 0:20:32.120000 --> 0:20:36.840000 a virtual network which was allowed through the initiative. 0:20:36.840000 --> 0:20:41.600000 Create a virtual network. 0:20:41.600000 --> 0:20:46.680000 And put that in policy. 0:20:46.680000 --> 0:20:53.940000 Give it a name of. 0:20:53.940000 --> 0:20:56.680000 A terrible name but that's okay. 0:20:56.680000 --> 0:21:00.100000 And just take everything else and just create this. 0:21:00.100000 --> 0:21:12.340000 That virtual network once it's done should create successfully. 0:21:12.340000 --> 0:21:21.460000 Alright, and here's as though my network did in fact provision. 0:21:21.460000 --> 0:21:23.740000 Alright, and that's really pretty much it. 0:21:23.740000 --> 0:21:27.620000 It can get complicated when you're working with your own policies and 0:21:27.620000 --> 0:21:28.520000 your own initiatives. 0:21:28.520000 --> 0:21:33.400000 Not because the basic concept of a policy is complex or the basic concept 0:21:33.400000 --> 0:21:35.320000 of an initiative is complex. 0:21:35.320000 --> 0:21:40.560000 But trying to figure out what exactly you want to do in that and trying 0:21:40.560000 --> 0:21:46.340000 to understand the actual syntax of the policy rule can be a little bit 0:21:46.340000 --> 0:21:50.000000 complicated. So if you're going to build your own custom policies I recommend 0:21:50.000000 --> 0:21:58.500000 that you're going to have to experiment a little bit. 0:21:58.500000 --> 0:21:58.760000 And then you're going to have to do a little bit of a little bit of a 0:21:58.760000 --> 0:21:58.760000 little bit of a little bit of a problem. 0:21:58.760000 --> 0:22:02.620000 So if you're going to have a policy with parameters or you could just 0:22:02.620000 --> 0:22:05.780000 make it a template that you use to generate new policies. 0:22:05.780000 --> 0:22:10.340000 Also consider using initiatives and particularly look to see if you can 0:22:10.340000 --> 0:22:15.180000 take an initiative that combines the elements that you're looking for 0:22:15.180000 --> 0:22:18.240000 it. And that's really where we look at these built in initiatives and 0:22:18.240000 --> 0:22:24.040000 built in policies I should say that have the really core elements. 0:22:24.040000 --> 0:22:28.120000 So in the example I used one initiative that allowed me to restrict the 0:22:28.120000 --> 0:22:33.880000 types of resources that could be created in my one policy that did that. 0:22:33.880000 --> 0:22:38.300000 I had another policy that restricted the sizes or the skews of my VM. 0:22:38.300000 --> 0:22:42.980000 Those existed and it was much easier to put those together into an initiative 0:22:42.980000 --> 0:22:47.900000 than to try to build from scratch a custom policy that would do all of