Implementing Governance for your Azure Cloud Using Azure Policy

  • Thread starter Thread starter alexeyn1
  • Start date Start date
A

alexeyn1

What is Azure Policy?​


Azure Policy is a service that allows you to create, assign, and manage policies that govern your Azure resources. Policies are rules that define the desired state and configuration of your resources, such as the location, size, tags, and properties. Policies can also audit the compliance status of your resources and report any violations.

With Azure Policy, you can ensure that your resources follow the best practices and standards that you define for your organization. You can also use Azure Policy to implement cost management, security, and regulatory compliance for your cloud environment.



How does Azure Policy work?​


Azure Policy works by evaluating your resources against the policies that you assign to them. You can assign policies at different levels of scope, such as the management group, subscription, resource group, or resource level. You can also create policy initiatives, which are collections of policies that work together to achieve a specific goal.

When you assign a policy, you can choose to apply it in audit mode or enforce mode. Audit mode will only monitor and report the compliance status of your resources, while enforce mode will prevent any non-compliant actions from taking place. For example, you can create a policy that restricts the allowed locations for your resources, and assign it in enforce mode. This will prevent any users from creating or moving resources to locations that are not allowed by the policy.

Azure Policy evaluates your resources periodically and whenever there is a change in the resource or the policy. You can view the compliance status of your resources and policies in the Azure portal, or use the Azure Policy APIs to integrate with other tools and services. You can also use Azure Policy to remediate any non-compliant resources by applying the desired configuration automatically or manually.





Why is Azure Policy useful for cloud governance?​




Azure Policy is a powerful tool for cloud governance, because it enables you to define and enforce the rules and standards that you want your resources to follow. With Azure Policy, you can:

- Achieve consistency and compliance across your cloud environment, by ensuring that your resources are configured according to your policies.

- Reduce costs and optimize resource utilization, by limiting the types and sizes of resources that can be created or used.

- Enhance security and reduce risks, by restricting access and actions that can be performed on your resources.

- Meet regulatory and legal requirements, by complying with the policies that align with the industry standards and frameworks that apply to your organization.

Azure Policy is one of the key components of the Azure governance methodology, which provides a comprehensive approach to managing your cloud resources. By using Azure Policy, along with other services such as Azure Management Groups, Azure Blueprints, and Azure Resource Graph, you can achieve effective and efficient cloud governance for your organization.



Common Azure Policies​




  • Enforce tag and its value: This policy enforces a required tag and its value to a resource group or a subscription.



alexeyn1_0-1726849410740.png





  • Allowed locations: This policy enables you to restrict the locations that your organization can specify when deploying resources.

alexeyn1_1-1726849410744.png



  • Audit VMs that do not use managed disks: This policy audits any virtual machines that are not configured with managed disks, which are the recommended disk storage offering for virtual machines in Azure.



alexeyn1_2-1726849410745.png





  • Allowed resource types: This policy enables you to specify the resource types that your organization can deploy. For example, you can allow only virtual machines and storage accounts, and deny all other resource types.



alexeyn1_3-1726849410746.png





  • Audit insecure SSL protocols: This policy audits the usage of SSL protocols that are considered insecure, such as SSLv2 and SSLv3, and recommends using TLS protocols instead.



alexeyn1_4-1726849410753.png





What if I don’t see a policy I need to define my rules? In that case you may create a custom policy.

How to create a custom Azure policy?​

  • To create a custom Azure policy, you need to define a policy definition and a policy assignment.
  • A policy definition is a JSON file that specifies the logic and effect of the policy.
  • A policy definition consists of the following elements:
    • Metadata: information about the policy, such as name, description, category, and mode.
    • Parameters: optional inputs that can be used to customize the policy.
    • Policy rule: the core logic of the policy, which defines the conditions and actions to evaluate the resources.
    • A policy assignment is the link between a policy definition and a scope, which can be a subscription, a resource group, or a resource.
    • A policy assignment can also specify parameters, exclusions, and enforcement modes for the policy.
  • To create a custom Azure policy, you can use one of the following methods:
  • Azure portal: a graphical user interface that allows you to create and manage policies.
  • Azure PowerShell: a command-line tool that allows you to create and manage policies using scripts.
  • Azure CLI: a cross-platform command-line tool that allows you to create and manage policies using commands.
  • Azure Resource Manager templates: a declarative way of defining and deploying policies using JSON files.

Example of a custom Azure policy​

  • In this example, we will create a custom Azure policy that denies the creation of public IP addresses in a resource group.
  • We will use the Azure portal to create the policy definition and the policy assignment.
  • Here are the steps to follow:
  • Sign in to the Azure portal and navigate to the Policy service.
  • Click on Definitions and then click on + Policy definition.
  • Enter a name, description, and category for the policy definition.
  • Copy and paste the following JSON code in the Policy rule section:
  • {
  • "if": {
  • "allOf": [
  • {
  • "field": "type",
  • "equals": "Microsoft.Network/publicIPAddresses"
  • },
  • {
  • "field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod",
  • "equals": "Dynamic"
  • }
  • ]
  • },
  • "then": {
  • "effect": "deny"
  • }
  • }
  • This policy rule denies the creation of public IP addresses with dynamic allocation method.
  • Click on Save to create the policy definition.
  • Click on Assignments and then click on + Assign policy.
  • Select the scope of the policy assignment, which is the resource group where you want to apply the policy.
  • Select the policy definition that you just created from the list of available policies.
  • Enter a name and description for the policy assignment.
  • Click on Review + create and then click on Create to create the policy assignment.
  • The policy is now assigned to the resource group and will evaluate any new or existing resources in that scope.
  • You can view the compliance status and details of the policy assignment in the Policy service.



Example of creating a Policy for non-compliant resources​




Below is the procedure of creating a policy for identifying non-compliance resources for auditing purposes, however in certain situations you may want to enforce Azure Policy as described in the link below

Tutorial: Build policies to enforce compliance - Azure Policy | Microsoft Learn



  1. Create a Policy assignment
  2. In the search bar, type Policy and navigate to Assignment

alexeyn1_5-1726849410757.png





  1. Select Assign Policy from the Policy Assignments pane.





alexeyn1_6-1726849410766.png







  1. Under Available Definitions, select the appropriate policy
  2. Choose the correct scope for the policy (such as subscription or resource group, as an example). You also get to decide which resources are excluded from applying the policy in the Exclusions window.

alexeyn1_7-1726849410770.png





  1. Decide whether you want to Enforce this policy (Under Policy Enforcement – leave as Enabled or if not – Disable which will still allow for compliance assessment reports which is our case for now, as we only need to know which network interfaces have public IPs assigned)
  2. d) Click Next – specify a managed identity under Remediation (not needed in our case),

move to Non-Compliant message



alexeyn1_8-1726849410773.png



  1. Complete the process by clicking Review + create > Create

alexeyn1_9-1726849410779.png





  1. View non-compliant resources



  1. In the Policy search bar type the name of the policy

alexeyn1_10-1726849410783.png





  1. Click View Compliance

alexeyn1_11-1726849410787.png



  1. Observe non-compliant resources



alexeyn1_12-1726849410792.png





Based on the requirements, you may need to enforce the policy and remediate.

Follow for more blogs where options for remediations will be covered.

Disclaimer​


The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Continue reading...
 
Back
Top