Azure Policy

A key component of cloud governance in Azure is being able to apply policies across cloud resources. In Azure, there is a  service called Azure Policy that can be used to define policies and enforce them across your cloud resources. Azure Policy can be used to create, assign and, manage, and apply policy definitions. Azure Policy can be set to just evaluate when resources are out of compliance or remediate when resources are out of compliance. These two modes are known as audit effect and deny effect.

Azure policies can be applied to Management Groups, subscriptions, or resources.

Azure Policy has been around for a while but recently it has revamped to make it enterprise ready. Azure Policy is in preview but it won’t be long before it will go GA and can be used to help manage your Azure. There is no pricing yet while Policy is in preview.

Azure Policy is not RBAC. RBAC deals with user access and user actions such as what users can access what resources and what they can do with them. Azure Policy deals with existing resources and resource properties during the deployment of them.

In Azure Policy you have something known as definitions. Definitions are essentially compliance rules that can be assigned to Azure resources. These definitions can just check to see if items are compliant or not and can enforce compliance. Definitions can be used to set conventions for resources, for example, all resources in a subscription should have a certain tag when created. Definitions are also used to evaluate something and take an action based on the result of the evaluation. A good example of this is that you could use a policy definition to evaluate if virtual machines are using managed disks or not. Azure Policies are used to help control costs and manage resources across your Azure subscriptions.

There are two types of definitions called Policy and Initiative. A Policy definition is a single definition. An Initiative definition is a group of Policy definitions. Initiative definitions are used to help achieve larger compliance need. To gain a better understanding of Initiative definitions you can look at Security Center as it leverages Initiative definitions. Security Center has a built-in Initiative definition named [Preview]: Enable Monitoring in Azure Security Center. This built-in Initiative definition for Security Center contains 13 Policy definitions related to security as shown in the following screenshot.

In Azure policy there are built-in and custom definitions. The built-in definitions have been created by Microsoft and are ready to be used to help with common needs in cloud. There are 36 built-in policy definitions today. Custom definitions are built by you. All Azure policies are JSON so writing custom polices is similar to writing ARM templates. Templates for Azure policies can be found in the Repository for Azure Resource Policy samples here: https://github.com/Azure/azure-policy. You can use these samples as a starting point when building your own. Here is an example of an Azure policies JSON:

{

“properties”: {

“displayName”:”Create VM using Managed Disk”,

“description”:”Create VM using Managed Disk”,

“policyRule”: {

“if”: {

“anyOf”: [

{

“allOf”: [

{

“field”: “type”,

“equals”: “Microsoft.Compute/virtualMachines”

},

{

“field”: “Microsoft.Compute/virtualMachines/osDisk.uri”,

“exists”: true

}

]

},

{

“allOf”: [

{

“field”: “type”,

“equals”: “Microsoft.Compute/VirtualMachineScaleSets”

},

{

“anyOf”: [

{

“field”: “Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers”,

“exists”: true

},

{

“field”: “Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl”,

“exists”: true

}

]

}

]

}

]

},

“then”: {

“effect”: “audit”

}

}

}

}

Azure policies are inherited by all child resources. So when an Azure policy is applied to a resource group all of the resources in that resource group will adhere to the policy that is applied.

Another key feature in Azure policy definitions is that you can utilize parameters. Within either a Policy or Initiative you can define a set of parameters. These parameters can be passed values when assigning the policy definition. Utilizing parameters in your definitions means you can build a policy definition once and re-use it for different scenarios.

After you have decided on a set of built-in policy definitions or built your own you then need to apply these in your Azure environment. Applying policy definitions is done by assigning a definition. Definitions are assigned to a specific scope. Scopes can be a subscription, management group, or a resource group. It is recommended to use management groups. Management groups are aligned to a subscription or a resource group. If you are not familiar with Management groups go read my blog post on them here. In the following screenshot, you can see what the configuration looks like for a definition assignment. Take note in the scope field I am assigning it to a management group and the management group is scoped to a subscription.

Here is where Initiative definitions have an advantage. You can group a set of policy definitions inside of an Initiative definition and then assign the Initiative definition vs having to go an assign multiple policy definitions one at a time. Adding multiple policy definitions to an Initiative can be seen in the following screenshot.

Within definition assignments, you can set exclusions. Exclusions allow you to make items exempt from a policy definition assignment. Items that can be excluded from a policy definition assignment are Individual resources, resource groups, and subscriptions. You set exclusions when setting up your policy definition assignment.

After a policy or initiative definition is assigned to a scope Azure policy then evaluates the compliance state for all the resources in the assignment scope. This evaluation happens every 24 hours. The evaluation is also triggered to scan a new resource when a new resource is created within a scope (management group, subscription, resource group) that has a definition assignment applied to it. Keep in mind Azure policy is in preview so I am sure on-demand evaluation and the ability to set the evaluation interval is coming. You can see an example of policy evaluation results in the following screenshot. This shows the non-compliant and compliant items in the Overview pane.

You can click on a definition assignment that non-compliant resources to see what those resources are as shown in the following screenshot.

Azure Policy is still being enhanced. It is a critical part of your Azure governance and management. Again I highly recommend to start using the service even while it’s in preview. I hope you enjoyed this overview of Azure Policy. A friend of mine and fellow MVP Sam Erskine has started a 4 part blog series focused on Azure Policy. Sam’s post can be found here: http://itprocessed.com. As a next step, I recommend checking this out for a deeper look into planning and working with Azure Policy.

Print Friendly, PDF & Email

One comment to Azure Policy

Leave a Reply