Azure governance and compliance
Azure offers tools and features that can help with governance and compliance for Azure resources.
Azure Blueprints
Azure Blueprints lets you standardize cloud subscription or environment deployments. It let you define repeatable settings and policies that are applied as new subscriptions are created.
Azure Blueprints lets you deploy a new Test/Dev environment with security and compliance settings already configured. It allows rapid building and deployment of new environments.
Blueprint definition is built from several components known as artifacts. Artifacts can have parameters that you can configure though there are few non-parametrized artifact like Deploy threat detection on SQL servers policy, which requires no additional configuration.
Artifacts can include things such as:
- Role assignments
- Policy assignments
- Azure Resource Manager templates
- Resource groups
They are version-able, allowing you to create an initial configuration and then make updates later on and assign a new version to the update. With versioning, you can make small updates and keep track of which deployments used which configuration set.
It maintains the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
Azure policy
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.
It enables you to define both individual policies and groups of related policies, known as initiatives. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.
It evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created.
It can also automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources
It can be set at each level, enabling you to set policies on a specific resource, resource group, subscription, and so on, and hence follows inherited characteristics.
It comes with built-in policy and initiative definitions for Storage, Networking, Compute, Security Center, and Monitoring. For example, if you define a policy that allows only a certain size for the virtual machines (VMs) to be used in your environment, that policy is invoked when you create a new VM
It also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies for the software development lifecycle.
Resource lock
A resource lock prevents resources from being accidentally deleted or changed.
It can be applied to individual resources, resource groups, or even an entire subscription and follows inherited nature, meaning that if you place a resource lock on a resource group, all of the resources within the resource group will also have the resource lock applied.
These are managed from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.
There are two types of resource locks:
- Delete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource.
Thanks for reading till the end, Do like, share and subscribe to this page for more such content. Please feel free to provide any feedback:)
P.S. It is part of Azure for August learning series, If you want to have a look at other relevant articles, Please checkout https://medium.com/@gargsourabh/list/azure-for-august-3ac4e674e226
