Keep control of your Azure environment with Azure Policy
Keeping control of your Azure environment and your Azure tenant can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. For example, you can limit the deployment to specific virtual machines types and sizes, or block different Azure regions from being used. You can still give developers and IT Pros access to the Azure environment and subscriptions but always stay in control.
- Real-time policy enforcement and evaluation
- Cloud policy management and security at scale
- Automated remediation of existing resources
- Comprehensive compliance view of all your resources across your Azure subscriptions
You use Azure Policy not just to enforce rules, but also to only audit your environment. This enables you to see the resources which are not compliant with your company policies instead of just blocking the deployment.
Have a look at my other blog posts about:
Why not just use RBAC?
Azure Policy is complementary to role-based access control (RBAC), and are both part of the overall Azure Governance tools.
There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.
Understanding Azure Policy
Azure will provide you with a couple of built-in policies, but you can also create your custom policies. To implement Azure Policy in your environment, you need to understand a couple of keys artifacts.
- Policy definition – Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met. You can read more about Policy definitions here, and you can find a list of built-in policy definitions on Microsoft Docs.
- Policy assignment – A policy assignment is a policy definition that has been assigned to take place within a specific scope. This can be a management group, subscription, resource group, or even a particular resource. You can read more about assignments here.
- Policy parameters – You can define parameters when creating a policy definition to make it more generic. Then you can reuse that policy definition for different scenarios. You can read more about the parameters here.
- Initiative definition – An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions by grouping them. You can read more about Initiative definitions here, and you can find a list of built-in Azure Policy initiative definitions on Microsoft Docs.
- Initiative assignment – Similar to policy assignments, an initiative assignment is an initiative definition assigned to a specific scope. You can read more about Initiative assignments here.
- Initiative parameters – Similar to policy parameters, initiative parameters help simplify initiative management by reducing redundancy. You can read more about Initiative parameters here.
How to assign an Azure Policy and initiative
To assign a policy or initiative, you need to go to Azure Policy in the Azure portal. Here you can click on Assignment and then on assign policy.
You will need to set the scope, which can be on a management group, subscription, resource group, or resource level.
Now you select the policy definition you want to implement.
Depending on the policy definition, you will need to set parameters and some additional settings. You can also change the name of the assignment and enter a description. After you clicked on Review + create, it will take a couple of minutes, and the assignment will show up in the compliance view as compliant or non-compliant.
You can also use the Azure CLI or Azure PowerShell to assign policies and definitions. If you are running Azure DevOps, you can also apply policies in a CI/CD pipeline and take advantage of the native integration with Azure DevOps to surface policy violations before deployment and policy compliance assessments in the cloud after deployment.
Quick tip if you are using Azure CLI or Azure PowerShell, make sure you have a look at the Azure Cloud Shell.
If you want to get an overview of your compliance state, you can go to the Compliance page, and you will get an overview of the different assignments and their compliance state.
If you have non-compliant policies, you can either go and fix it manually or in some cases, you can use a remediation task. Which will change the setting to your preferred state.
Author custom Azure Policies
Microsoft Azure provides you with built-in definitions. However, you can also author your own policy definition if you need to. You can read more about writing your own customs policies in JSON here. You can also use a Visual Studio Code extension to work on policies.
Azure Policy is offered at no additional cost to Azure subscribers.
I hope this gives you an overview of how you can keep control of your Azure environment using Azure Policy. If you want to learn more, check out the documentation here. And if you have any questions, please let me know in the comments.