Azure Policy  is a service in Azure that used to create, assign and, manage policy definitions. Policy definitions enforce different rules and actions over resources, so those resources stay compliant with corporate standards and service level agreements. Azure Policy runs an evaluation of resources, scanning for those not compliant with the policy definitions. 

To maintain environmental governance Policy definitions were created to ensure that Azure resources have the following:

  • Resource Billing Tags
  • Resource Description Tags
  • Resource LifeTime Tags
  • VM Schedule Tags

While it is a best-practice to implement – you need to be ready to deal with some unexpected issues as a result of such implementation.

In my case we had a policy that was enforcing requirement for the Resource Groups to have a certain set of Tags.

Unexpected Issue

After Policies has been implemented – we have encouraged an unexpected issues with Azure Backup. It took a little bit of efforts to connect one and the other, as issue wasn’t impacting all backups, but only those that have been just configured in another regions.

Once we have tried to trigger the backup – it failed with the following error:

Issue Description
An invalid policy is configured on the VM which is preventing Snapshot operation.
Required Action(s)
Please correct the policy and retry the operation. 

Flowing ” Click here for more info” – wasn’t as helpful as you may expect.

Activity Log was really helpful. I have noticed that there is an error with “Backup Management Service” listed as a “caller”.

Looking into details – I have notice that “Backup Management Service” is trying to create a Resource Group.

It turned out that Azure Backup uses a pre-defined Resource Group to temporary store snapshots generated as part of the backup.

Such groups named as ” AzureBackupRG_%region%_%index%”, which in my case was: AzureBackupRG_brazilsouth_1

Group creation was failing as “Backup Management Service”, obviously, didn’t provide any expected tags.

Solution

To address the issue – I have manually created that missing Resource Group.

As I had already have some Resource Groups in that region with properly populated tags – I have done it with the following PowerShell code:

Select-AzSubscription MySubscriptionName
$existingRG = Get-AzResourceGroup -Name NameOfTheExistingResourceGroup
New-AzResourceGroup -Name AzureBackupRG_brazilsouth_1 -Location 'Brazil South' -Tags $existingRG.Tags

Once completed – backups did run as expected.