policy config_error ai_generated true

Resource 'myresource' was disallowed by policy. Policy: 'Allowed locations'. Reason: 'The resource location 'eastus2' is not allowed. Allowed locations: ['westus', 'westeurope']

ID: policy/azure-policy-resource-location-not-allowed

Also available as: JSON · Markdown · 中文
90%Fix Rate
88%Confidence
1Evidence
2023-11-20First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Azure CLI 2.57.0 active
Azure PowerShell 11.0.0 active
Terraform azurerm 3.100.0 active

Root Cause

Azure Policy 'Allowed locations' restricts resource creation to specific regions; the requested location is not in the allowlist.

generic

中文

Azure策略'允许的位置'将资源创建限制在特定区域;请求的位置不在允许列表中。

Official Documentation

https://learn.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations

Workarounds

  1. 95% success Deploy the resource in an allowed location, e.g., change location from 'eastus2' to 'westus' in ARM template: `"location": "westus"` 
    Deploy the resource in an allowed location, e.g., change location from 'eastus2' to 'westus' in ARM template: `"location": "westus"`
  2. 50% success Request an exemption for the resource from the policy administrator via Azure Policy Portal. 
    Request an exemption for the resource from the policy administrator via Azure Policy Portal.
  3. 85% success Update the policy assignment to include the desired location using Azure CLI: `az policy assignment update --name 'allowed-locations' --scope '/subscriptions/...' --params '{"listOfAllowedLocations": {"value": ["westus", "westeurope", "eastus2"]}}'` 
    Update the policy assignment to include the desired location using Azure CLI: `az policy assignment update --name 'allowed-locations' --scope '/subscriptions/...' --params '{"listOfAllowedLocations": {"value": ["westus", "westeurope", "eastus2"]}}'`

中文步骤

  1. 在允许的位置部署资源,例如在ARM模板中将位置从'eastus2'改为'westus':`"location": "westus"`
  2. 通过Azure策略门户向策略管理员请求资源豁免。
  3. 使用Azure CLI更新策略分配以包含所需位置:`az policy assignment update --name 'allowed-locations' --scope '/subscriptions/...' --params '{"listOfAllowedLocations": {"value": ["westus", "westeurope", "eastus2"]}}'`

Dead Ends

Common approaches that don't work:

  1. Retrying the deployment in the same disallowed region with different resource names 100% fail

    The policy is location-based, not name-based; the region itself is blocked regardless of resource name.

  2. Adding the resource to an existing resource group in the allowed region but specifying the disallowed location in the template 80% fail

    The location is evaluated per resource, not per resource group; the template location must match the allowed list.

  3. Creating a new subscription to bypass the policy 60% fail

    Azure Policies can be assigned at management group level, affecting all subscriptions under it; a new subscription may still inherit the policy.