Open in app

Sign in

Write

Sign in

Enforce organizational standards and to assess compliance at-scale

Vijay Yadav
CloudTechOffice
Published in
7 min readJan 29, 2022

Azure Policy Part-1 (Policy concepts, Contents, and Engine)

What is the purpose of the Azure Policy?

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

Azure Policy Agenda:

  1. Policy Concepts
  2. Policy Contents
  3. Policy Engine
  4. Policy Initiatives
  5. Policy Management
  6. Policy Walkthrough

1. Policy Concepts

The traditional approach blocks Dev/Ops from directly accessing the cloud (portal/API/CLI) to attain control. And need a cloud custodian/Engineers responsible for the Cloud environment.

SMART governance: enabling velocity through native controls.

  • Showing how policy, cost, arm security still allows the development teams to execute at the velocity that the need while IT manages as a custodian natively without getting in the way.
  • When it comes to cloud management platforms and brokers, we are approaching this differently. We are integrating the governance into the cloud, rather than a shim between the cloud and the customer.

Azure Policy for Enterprise-level compliance.

Azure Policy: a powerful governance platform that enables the largest enterprises to govern their Azure cloud environment across all subscriptions, other Clouds (AWS and GCP) and on-premises deployments at scale declaratively. The other cloud and on-premises is enabled by Azure Arc (not discussed here) whereby policies can be applied to those targets also in addition to Azure.

Azure policy sits at the core of Azure and gives you the ability to codify your company policies into the platform. One core benefit is that, given the rate of innovation of Azure, there are services going live quite often. In Azure, any new service will be able to be governed by Azure Policy from day 1

This helps enterprises to:

  • Enforce standards and guardrails
  • Meet regulatory compliance and audit requirements
  • Control costs
  • Maintain security and performance consistency
  • Impose enterprise wide design principles

Policy-based management

Add policies to your resources:

Turn on built-in policies, or build your own custom policies to enable security and management at scale for Azure resources. Restrict deployment options for your organization to specific datacentres, or enable the creation of specific resources types only. Establish tagging metadata to help drive accountability, compliance, and much more.

Choose how to build your policies:

Construct policies in the Azure portal with full IntelliSense support or any JSON editor, and import policies using Bash, PowerShell, or API.

Apply policies at any scale

Apply policy over your Azure resources at a scale of your choosing, from a single subscription to a management group with control across your entire organization.

Monitor compliance

Choose to either enforce policies, or audit policy compliance against best practices. View policy compliance for individual policies, or aggregate multiple policies together into initiatives and oversee compliance for the whole initiative. See how compliance to policies is trending over time.

Azure Policy (ARM Policies)

  • ARM Management Policies allow you to enforce polices during resource deployment e.g. specific VM size, Location and Naming Convention.
  • MP’s compliment RBAC, RBAC is user focused whereas MP’s are resource focused.
  • Created and managed using PowerShell or REST API.
  • Applied at management group, subscription, resource group or resource level and is inherited by all child resources.
  • Policy events are audited and can be viewed in the portal or using PowerShell.
  • Policies are cumulative.

2. Policy Contents

Ensure data sovereignty by restricting, enforcing, or auditing certain actions.

{"if" : {<condition> | <logical operator>},"then" : {"effect" : "deny | audit | append | deployIfNotExists“}}
  • Azure Policies can support the needs of different personas within an organization to ensure that operations in Azure are compliant with its guidance/requirements.
  • From the perspective of someone working in finance, this may be something like ensuring resources are tagged with cost center or other pieces of information to ensure chargeback can occur properly.
  • Security staff will look to Azure Policy to ensure that resources are created in regions or specific settings that meet the business’s requirements.
  • Developers and ops teams may use Azure Policy to ensure that unauthorized resources aren’t created or that resources are named according to business standards.

Policy Definition

You use JSON to create a policy definition. The policy definition contains elements for:

  • mode
  • parameters
  • display name
  • description
  • policy rule
  • logical evaluation
  • effect

Details of the policy definition structure - Azure Policy

Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the…

docs.microsoft.com

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more efficiently manage your resources. For example, you can specify that only specific virtual machines are allowed. Or, you can require that all resources have a particular tag. In addition, policies are inherited by all child resources. So, if a policy is applied to a resource group, it applies to all the resources in that resource group.

Example: Define a Management Policy Powershell: Restrict Location

Create a Management Policy. Using PowerShell, the New-AzPolicyDefinition cmdlet creates a new management policy. The policy definition can be specified within the command, or it could be extracted from a locally stored JSON file specified using the –Policy switch.

Order of Evaluation:

  • Disabled
  • Append and Modify
  • Deny
  • Audit
  • AuditNotExists
  • DeployIfNotExists

Policy Effects:

  • Append
  • Deny
  • DeployifNotExists
  • Audit
  • AuditIfNotExists
  • Disabled
  • Modify

Azure Policy Scope

Azure provides four levels of scope:

  1. Management Group
  2. Subscriptions
  3. Resource Groups
  4. Resources.

You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn’t have that policy assignment.

3. Policy Engine

Policy is always applied at a scope- management group, subscription, resource group and resources. Policy Engine periodically sweeps the scope and evaluates compliance during following occurrences.

  • A resource is created, updated, or deleted in a scope with a policy assignment.
  • A policy or initiative is newly assigned to a scope.
  • A policy or initiative already assigned to a scope is updated.
  • During the standard compliance evaluation cycle, which occurs once every 24 hours.
  • On Demand

During such sweeps resources under scope are evaluated and affects defined in the policy are applied.

How does Policy work?

Policy is very Declarative and its always on:

  • On Change
  • On Periodic Cadence
  • On Demand
  1. When User sends a Resource Config Request — This payload is submitted to the ARM Control Place, Policy Engine Scans the incoming request for compliance of policies under the SCOPE. If evaluation results in a failure, then the request is rejected.

2. Now User submits a Resource Config Request — This payload s submitted to the ARM Control Place. Policy Engine Scans the incoming request for compliance of policies under the scope. If evaluation results comply with all of the policies in the SCOPE, then resource provisioning happens.

3. Policy Engine continuously evaluates resources under SCOPES on the regular cadence. Compliant resources are marked compliant and Non-Compliant resources are flagged as non-compliant.

Assign a Management Policy — at Subscription Scope

Assign a Management Policy through PowerShell.

Quickstart: New policy assignment with PowerShell — Azure Policy | Microsoft Docs

New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition

Policy Evaluation and Remediation

Policy Evaluation allows the following different responses as a result of evaluation:

  • Deny the resource change
  • Log the change to the resource
  • Alter the resource before the change
  • Alter the resource after the change
  • Deploy related compliant resources

Following evaluation, remedial action is done using REMEDIATION task.
Remediation tasks can be:

  • Automated OR
  • Manual

To be continued…..below upcoming topics will come soon .. please stay tuned. Thank You.

  1. Policy Initiatives
  2. Policy Management
  3. Policy Walkthrough
Azure Policies
Scopes
Policy Engine
Policy Management
Policy Content

--

--

Vijay Yadav
CloudTechOffice

Written by Vijay Yadav

26 Followers
Editor for

I’m a Cloud Solution Architect @Microsoft.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams