Tag: Azure Policy

Azure Policy Guest Configuration Compliance

Audit server settings with Azure Policy Guest Configuration

In my last blog post on Azure Governance, I wrote about how you can use Azure Policy to keep control of your Azure environment. In this blog post, I will show you how you can extend Azure Policy to the guest operating system of Azure virtual machines (VMs), and Azure Arc enabled servers to audit server settings using Azure Policy Guest Configuration.

Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc Connected Machines. The validation is performed by the Guest Configuration extension and client. The extension, through the client, validates settings such as:
– The configuration of the operating system

– Application configuration or presence

– Environment settings

Understand Azure Policy’s Guest Configuration

Have a look at my other blog posts about:

How to audit machines using Azure Policy Guest Configuration

Before you can audit settings inside a machine, a virtual machine extension needs to be enabled and the machine must have a system-managed identity. The extension isn’t required for Arc Connected Machines because it’s included in the Arc Connected Machine agent.

To deploy the extension at scale, assign the following policy initiative:

Deploy prerequisites to enable Guest Configuration policies on virtual machines

You and find more information about how to enabled Azure Policy Guest Configuration on Microsoft Docs.

Assigning Guest Configuration policies works the same way as other Azure Policies. To assign a policy or initiative, you need to go to Azure Policy in the Azure portal. Here you can click on Assignment and then on Assign policy, or Assign initiative.

Assign Azure Policy Guest Configuration
Assign Azure Policy Guest Configuration

Now you select the policy definition you want to implement. In this example, we are going to audit servers for insecure password settings. There are also industry-specific certifications available.

Audit machines with insecure password security settings
Audit machines with insecure password security settings

You can set the parameters of the initiative, for Guest Configuration policies, there is at least one parameter that allows you to included Azure Arc enabled servers. This will come with an additional cost for Azure Arc enabled servers, while this is free of charge for servers running in Azure.

Initiative Parameters included Azure Arc enabled Servers
Initiative Parameters included Azure Arc enabled Servers

After you clicked on Review + create, it will take a couple of minutes, and the assignment will show up in the compliance view as compliant or non-compliant.

You can also use the Azure CLI or Azure PowerShell to assign policies and definitions. If you are running Azure DevOps, you can also apply policies in a CI/CD pipeline and take advantage of the native integration with Azure DevOps to surface policy violations before deployment and policy compliance assessments in the cloud after deployment.

Audit server settings with Azure Policy Guest Configuration

If you want to get an overview of your compliance state, you can go to the Compliance page, and you will get an overview of the different assignments and their compliance state.

Azure Policy Guest Configuration Compliance
Azure Policy Guest Configuration Compliance

You can also have a more detailed look at the initiative or policy and the definition. You can not just use the built-in policies and initiatives, you can also write your own.

Definition
Definition

Author custom Azure Policies

Microsoft Azure provides you with built-in definitions. However, you can also author your own policy definition if you need to. You can read more about writing your own customs policies in JSON here. You can also use a Visual Studio Code extension to work on policies.

Check out how to create Guest Configuration policies for Windows.

You can find built-in Policy samples here:

Guest Configuration built-in policy samples are available in the following locations:

Visual Studio Code Azure Policy Extension
Visual Studio Code Azure Policy Extension

Additional Information

Here are some quick facts I often get ask about Azure Policy Guest Configuration:

  • Azure Policy Guest Configuration supports Linux and Windows Server. For more information about supported operating systems check out the official Microsoft Docs page.
  • Azure Policy Guest Configuration works in Hybrid and Multi-cloud environments and supports Azure VMs, servers running on-premises, or at other cloud providers.
  • Yes, you can create custom Guest Configuration policies.
  • For Azure virtual machines, you can use the service tag “GuestAndHybridManagement”
  • Virtual machines can use private link for communication to the Guest Configuration service. 

Pricing

Azure Policy Guest Configuration is offered at no additional cost to Azure subscribers to audit Azure resources and for Azure Arc resources it is charged at $6/Server/Month.

Video: Governing baselines in hybrid server environments using Azure Policy Guest Configuration

The following overview of Azure Policy Guest Configuration is from ITOps Talks 2021.

Conclusion

I hope this blog post provides you with a short overview of how you can audit server settings with Azure Policy Guest Configuration for Azure virtual machines as well as Azure Arc enabled servers. To learn more I highly recommend checking out, the official Microsoft Docs page.



Azure Friday - Manage and govern your hybrid servers using Azure Arc

Azure Friday: Manage hybrid servers using Azure Arc

Last Friday, I had the chance to join Donovan Brown on Azure Friday to talk about how you can manage and govern your hybrid servers using Azure Arc. I showed how you can manage and govern your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers, similar to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. You can watch the full episode here on Microsoft Channel 9.

Azure Friday - Manage and govern your hybrid servers using Azure Arc

Azure Friday – Manage and govern your hybrid servers using Azure Arc

If you want to know more about the Azure Arc and Azure Hybrid services, check out the following blog post and Microsoft Docs articles:

If you want to check out my other Azure Friday episode, in which I was joining Scott Hanselman to talk about how you can connect Windows Server to Azure Hybrid Cloud services using Windows Admin Center. And how you can use other Azure Hybrid services to improve your on-premises environment, check out my blog here.

I hope you liked this Azure Friday episode about how you can manage and govern your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers, using Azure Arc for servers. If you have any questions, feel free to leave a comment. And yes, this is a Surface Pro X.



Azure Policy

Keep control of your Azure environment with Azure Policy

Keeping control of your Azure environment and your Azure tenant can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. For example, you can limit the deployment to specific virtual machines types and sizes, or block different Azure regions from being used. You can still give developers and IT Pros access to the Azure environment and subscriptions but always stay in control.

  • Real-time policy enforcement and evaluation
  • Cloud policy management and security at scale
  • Automated remediation of existing resources
  • Comprehensive compliance view of all your resources across your Azure subscriptions

You use Azure Policy not just to enforce rules, but also to only audit your environment. This enables you to see the resources which are not compliant with your company policies instead of just blocking the deployment.

Have a look at my other blog posts about:

Cloud-Native Governance

Cloud-Native Governance

Why not just use RBAC?

Azure Policy is complementary to role-based access control (RBAC), and are both part of the overall Azure Governance tools.

There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.



Azure Hybrid

Azure Arc – Cloud-native Management for Hybrid Cloud

Azure Hybrid is not just Azure Stack, it also includes a couple of other Azure Hybrid services like Azure Update Management, Azure File Sync and many more. Today, Microsoft will extend the hybrid cloud solutions in Azure and announced Azure Arc, which is designed to extend Azure Management to any infrastructure. In the new world where organizations run servers, containers, and applications across multi-cloud environments, on-premises locations, and the edge, managing these hybrid resources becomes challenging. Azure Arc enables cloud-native Azure management across any infrastructure and also allows you to run Azure data services to be deployed anywhere. It includes hybrid server management, Kubernetes and Azure data services.

Azure Arc Overview

Azure Arc Overview

As you can see Azure Arc consists of a set of different technologies and components like:

  • Organize and govern all your servers – Azure Arc extends Azure management to physical and virtual servers anywhere. Govern and manage servers from a single scalable management pane. You can learn more about Azure Arc for servers here.
  • Manage Kubernetes apps at scale – Deploy and configure Kubernetes applications consistently across all your environments with modern DevOps techniques.
  • Run data services anywhere – Deploy Azure data services in moments, anywhere you need them. Get simpler compliance, faster response times, and better security for your data. You can learn more here.
  • Adopt cloud technologies on-premises – Bringing cloud-native management to your hybrid environment.

In this blog post, we will have a closer look at hybrid server management. If you want to know more about Azure Arc, check out the announcement blog post by Jeremy Winter, Director of Program Management, Microsoft Azure.

Cloud-native Azure management for hybrid environments with Azure Arc

By extending Azure Resource Manager to support hybrid cloud environments, Azure Arc to make it easier to implement cloud security across environments with centralized role-based access control, security policies. Azure Management provides you now with a single control plane for Azure native and Azure Arc resources.

Azure Management Overview

Azure Management Overview

Hybrid Server Management

Today Azure Arc allows you to onboard physical and virtual servers in your hybrid environment (on-premises, edge, and multi-cloud). By joining serves to Azure Arc, you get the benefits you are used from native Azure resources, like tags, RBAC, and many more. In the preview, you can now use Azure Management services like Azure Log Analytics and Azure Policy to make sure your servers are compliant across your hybrid environment.

Hybrid Server Management

Hybrid Server Management

I had the chance to have a very early chat with Jian Yan from the Azure Management team, a couple of weeks ago, about hybrid server management. Check out the video here:

Join the Preview

Azure Arc for Server is currently in public preview, while you can sign up for the preview to manage Kubernetes and data services. To enable hybrid server management, you must register the required Resource Providers.

  • Microsoft.HybridCompute
  • Microsoft.GuestConfiguration

You can register the resource providers with the following Azure PowerShell commands:

Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

or with Azure CLI:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

You can also run them from Azure Cloud Shell. If you want to know more, check out the following Microsoft Docs article.

Onboarding Servers to Azure Arc

As mentioned we will have a closer look here at how you can onboard Linux and Windows Server to Azure Arc. To onboard a server which can run Linux or Windows, physical or virtual, and can run on-premises or at another service provider, you open Azure Arc in the Azure Portal. There you can select manage servers.

Azure Arc Portal

Azure Arc Portal

Here you will see your existing servers which you have on-boarded.

Azure Arc Server in Portal

Azure Arc Server in Portal

 

You can click on Add, to add another server. You will be able to add a single server or get instructions to onboard servers at scale.

Add server to Azure Arc

Add server to Azure Arc

Here you can go through a wizard that will help you to generate a script, which you can copy or download to run it on your server. You can select the subscription and resource group, as well as the region where you want to join your server.

You will also be able to configure a proxy server if your server is behind a proxy. Since this will use the Azure Resource Manager, you will also be able to use tags. After you are done with the wizard, you are able to download or copy the command to run that on your server.

Generate Script

Generate Script

After you have run that command on your on-premises server, your server will show up as an Azure resource in a couple of minutes.

Use Windows Admin Center to onboard a server to Azure Arc

Windows Admin Center and Azure Stack HCI

Windows Admin Center and Azure Stack HCI

If you are using Windows Admin Center on Windows Server or with Azure Stack HCI, you can also onboard servers directly from there. Go to the settings of the server and click on Azure Arc. Now you can sign in and select the specific subscription and resource group.

More

If you want to know more about the Azure Hybrid announcements at Microsoft Ignite 2019, check out the blog post of Julia White. If you want to know more about Azure Arc, check out the blog post from Jeremy Winter. If you have any questions about it feel free to leave a comment, or if you are at Microsoft Ignite, feel free to talk to me and the Azure team.

I will also host a Microsoft Ignite Live interview with Jian Yan, which you can watch live in Orlando or online.

Microsoft Ignite Live

Azure is built from the ground up to manage at-scale, cross-geography environments with multiple operational models and DevOps patterns. The vision is to keep Azure at the center of the enterprise as the control plane for governance, management, and modern development and bring the Azure management capabilities and services to any customer environment. In this session, we demo one of the extension services to enable you to bring servers from anywhere to Azure, and use Azure to get a compliance view for all your server assets.



Azure Stack Development Kit PowerShell Install

Developing Azure Stack compatible services in Azure using Azure Policies

As mentioned Azure Stack brings a true hybrid Cloud experience by bringing an consistent platform from the public cloud to the private cloud. There is a little bit of a catch, Microsoft Azure Stack of course only offers some of the Azure Public Cloud services, since for some of them you need to have a specific scale or specialized hardware, and they often they are behind in feature and functionality, since Azure gets updated daily and Azure Stack gets a slower updated cycle.

But what if you want to develop services on Azure, which should be compatible with Azure Stack, how can you make sure that these services also work on Azure Stack? The anwser to that is the Azure Stack Policy Module. The Azure Stack Policy module allows you to configure an Azure subscription with the same versioning and service availability as Azure Stack using Azure Policy.  The module uses the New-AzureRMPolicyAssignment PowerShell cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. You can then use your Azure subscription to develop apps targeted for Azure Stack.

You can find the Azure Stack Policy Module in Azure Stack tools on GitHub.

Install the Azure Stack Policy Module

  1. Install the required version of the AzureRM PowerShell module, as described in Step1 of Install PowerShell for Azure Stack.
  2. Download the Azure Stack tools from GitHub
  3. Configure PowerShell for use with Azure Stack
  4. Import the AzureStack.Policy.psm1 module:
    Import-Module .\Policy\AzureStack.Policy.psm1

Apply policy to subscription

The following command can be used to apply a default Azure Stack policy against your Azure subscription.

 
Login-AzureRmAccount
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

Apply policy to a resource group

You may want to apply policies in a more granular method. As an example, you may have other resources running in the same subscription. You can scope the policy application to a specific resource group, which lets you test your apps for Azure Stack using Azure resources.

 
Login-AzureRmAccount
$rgName = 'myRG01'
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

You can find more information about this on the official documentation page: https://docs.microsoft.com/en-us/azure/azure-stack/user/azure-stack-policy-module