Merge pull request #311707 from svaldesgzz/aezupdates

new article and updates on overview and TOC

Author: JamesJBarnett

articles/extended-zones/TOC.yml

@@ -35,6 +35,8 @@
     href: request-quota-increase.md
   - name: Purchase reservations and savings plans
     href: purchase-reservations-savings-plans.md
+  - name: Create a custom Azure Policy in an Extended Zone
+    href: create-azure-policy.md
 - name: Arc-enabled PaaS workloads in Extended Zones
   items:
   - name: Create Arc-Enabled AKS Clusters in Extended Zones

articles/extended-zones/create-azure-policy.md

@@ -0,0 +1,119 @@
+---
+title: Deploy a Custom Azure Policy in an Azure Extended Zone
+description: Learn how to deploy a custom Azure Policy in an Azure Extended Zone.
+author: svaldesgzz
+ms.author: svaldes
+ms.service: azure-extended-zones
+ms.topic: how-to
+ms.date: 02/12/2026
+---
+
+# Create a custom Azure Policy in an Azure Extended Zone
+
+In this article, you learn how to create and deploy a custom Azure Policy in an Extended Zone.
+> [!NOTE]
+> Built-in Azure Policy definitions aren't supported in Extended Zones yet, but Azure Policy does support Azure Extended Zones as part of allow/deny custom policies. Thus, to enforce governance in Extended Zones you must create and deploy custom Azure Policy definitions that are tailored to the unique characteristics of these zones, namely ***extendedLocation***, ***extendedLocation.name***, and ***extendedLocation.type***. You may find it helpful to use built-in policy definitions as a reference when creating your custom policies. 
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+
+- Access to an Extended Zone. For more information, see [Request access to an Azure Extended Zone](request-access.md).
+
+- Basic understanding of Azure Policy. For more information, see [What is Azure Policy?](/azure/governance/policy/overview). 
+
+## Sign in to Azure
+
+Sign in to the [Azure portal](https://portal.azure.com) with your Azure account.
+
+## Create a custom Azure Policy in an Azure Extended Zone
+
+In this section, you create a custom Azure Policy in an Extended Zone. 
+
+For this example, we created an Allowed Locations policy that restricts the locations where resources can be deployed.
+
+1. In the search box at the top of the portal, enter ***policy***. Select **Policy** from the search results.
+
+1. In **Policy**, navigate to **Authoring → Definitions**.
+
+1. Select **+ Policy definition**.
+
+1. In **Create a policy definition**, fill in the required fields. Use the following table for guidance. 
+
+**Required fields:**
+
+| Field | Guidance |
+|------|---------|
+| Definition location | Use a **management group** for enterprise-wide governance (recommended), or a **subscription** for more granular control. |
+| Name | Use a clear, intent-based name (for example, `Deny-NonApproved-Locations`). |
+| Description | Explain what the policy enforces and why. |
+| Category | Use an existing category or create one (for example, *Governance* or *Networking*). |
+
+
+5. Next, define the Policy Rule. In the **Policy rule** section, for this example, enter the following JSON code to create a policy that denies the creation of resources in locations other than an Azure Extended Zone:
+
+```json
+{
+    "mode": "Indexed",
+    "parameters": {
+        "listOfAllowedLocations": {
+            "type": "Array",
+            "metadata": {
+                "description": "The list of locations that can be specified when deploying resources.",
+                "strongType": "location",
+                "displayName": "Allowed locations"
+            }
+        }
+    },
+    "policyRule": {
+        "if": {
+            "allOf": [
+                {
+                    "field": "location",
+                    "notIn": "[parameters('listOfAllowedLocations')]"
+                },
+                {
+                    "field": "location",
+                    "notEquals": "global"
+                },
+                {
+                    "field": "extendedLocation.name",
+                    "notEquals": "losangeles"
+                },
+                {
+                    "field": "type",
+                    "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
+                }
+            ]
+        },
+        "then": {
+            "effect": "deny"
+        }
+    }
+}
+```
+In this example, replace `losangeles` with the name of the Extended Zone location you have access to. You can find the location name in the Azure portal when deploying resources in the Extended Zone, or by using Azure CLI or PowerShell.
+> [!NOTE]
+> The **extendedlocation.name** or similar Extended Zone-specific fields may be highlighted  as errors in the json editor. You may disregard this, as you can still successfully save, deploy and enforce the policy with these fields included. 
+
+6. Select **Save** to create the policy definition.
+
+
+## Policy management and monitoring
+
+You can manage and monitor your Azure Policies in the Policy home dashboard in the Azure portal.
+
+## Clean up resources
+If you're done working with resources from this tutorial, use the following steps to delete any of the policy assignments or definitions created above:
+
+1. Select **Definitions** (or **Assignments** if you're trying to delete an assignment) under **Authoring** in the left side of the Azure Policy page.
+
+1. Search for the new initiative or policy definition (or assignment) you want to remove.
+
+1. Right-click the row or select the ellipses at the end of the definition (or assignment), and select **Delete definition** (or **Delete assignment**).
+
+## Related content
+- [What is Azure Policy?](/azure/governance/policy/overview)
+- [What is Azure Extended Zones?](overview.md)
+- [Deploy a virtual machine in an Extended Zone](deploy-vm-portal.md)
+- [Frequently asked questions](faq.md)

articles/extended-zones/overview.md

@@ -47,12 +47,24 @@ The following table lists key services that are available in Azure Extended Zone
 | **Networking** | [DDoS](../ddos-protection/ddos-protection-overview.md) (Standard protection) <br> [ExpressRoute](../expressroute/expressroute-introduction.md) <br> [Private Link](../private-link/private-link-overview.md) <br> [Standard Load Balancer](../load-balancer/load-balancer-overview.md) <br> [Standard public IP](../virtual-network/ip-services/public-ip-addresses.md) <br> [Virtual Network](../virtual-network/virtual-networks-overview.md) <br> [Virtual Network Peering](../virtual-network/virtual-network-peering-overview.md) <br> Azure Firewall (API version) |
 | **Storage** | [Managed disks](/azure/virtual-machines/managed-disks-overview) <br> - Premium SSD <br> - Standard SSD <br> [Premium Page Blobs](../storage/blobs/storage-blob-pageblob-overview.md) <br> [Premium Block Blobs](../storage/blobs/storage-blob-block-blob-premium.md) <br> [Premium Files](../storage/files/storage-files-introduction.md) <br> [Data Lake Storage Gen2 Hierarchical Namespace](../storage/blobs/data-lake-storage-namespace.md) <br>Data Lake Storage Gen2 Flat Namespace <br> [Change Feed](/azure/cosmos-db/change-feed) <br> Blob Features <br> - [SFTP](../storage/blobs/secure-file-transfer-protocol-support.md) <br> - [NFS](../storage/files/files-nfs-protocol.md) |
 | **BCDR** | [Azure Site Recovery](../site-recovery/site-recovery-overview.md)* (Extended Zone to parent region) <br> [Azure Backup](../backup/backup-overview.md) |
-| **Arc-enabled PaaS** | [ContainerApps](/azure/extended-zones/arc-enabled-workloads-container-apps)* <br> [PostgreSQL](/azure/extended-zones/arc-enabled-workloads-postgre-sql)* <br> [ManagedSQL](/azure/extended-zones/arc-enabled-workloads-managed-sql)* |
-| **Billing** | [Savings Plans](/azure/extended-zones/purchase-reservations-savings-plans) <br> [Reserved Instances](/azure/extended-zones/purchase-reservations-savings-plans) (through recommendations flow) |
+| **Arc-enabled PaaS** | [ContainerApps](/azure/extended-zones/arc-enabled-workloads-container-apps)* <br> [ManagedSQL](/azure/extended-zones/arc-enabled-workloads-managed-sql)* |
+| **Other** | [Azure Policy](/azure/extended-zones/create-azure-policy)* <br> [Savings Plans](/azure/extended-zones/purchase-reservations-savings-plans) <br> [Reserved Instances](/azure/extended-zones/purchase-reservations-savings-plans) (through recommendations flow) |
 
 \* While these services are GA in Azure Regions, they are currently in Preview in Azure Extended Zones.  
 \** [Learn more about Virtual Machine family series here](/azure/virtual-machines/sizes/overview?tabs=breakdownseries%2Cgeneralsizelist%2Ccomputesizelist%2Cmemorysizelist%2Cstoragesizelist%2Cgpusizelist%2Cfpgasizelist%2Chpcsizelist). You can obtain a detailed VM list in the Azure Extended Zones environment. 
 
+## Supported Independent Software Vendors (ISVs)
+
+The following table lists the key Independent Software Vendors services that are supported in Azure Extended Zones:
+
+| Service Provider | Supported services and features |
+| ------------------ | ------------------- |
+| **Aviatrix** | Cloud Native Security Fabric (CNSF) |
+| **Check Point** | Firewall |
+| **Fortinet** | Firewall |
+| **HPE Aruba (Silverpeak)** | [Networking EdgeConnect SD-WAN](https://arubanetworking.hpe.com/techdocs/sdwan-PDFs/deployments/dg_ECV-Azure_latest.pdf) |
+
+
 ## Frequently asked questions (FAQ)
 
 To get answers to frequently asked questions about Azure Extended Zones, see [Azure Extended Zones FAQ](faq.md).