Keeping control of your Azure environment and your Azure tenant can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. For example, you can limit the deployment to specific virtual machines types and sizes, or block different Azure regions from being used. You can still give developers and IT Pros access to the Azure environment and subscriptions but always stay in control.
- Real-time policy enforcement and evaluation
- Cloud policy management and security at scale
- Automated remediation of existing resources
- Comprehensive compliance view of all your resources across your Azure subscriptions
You use Azure Policy not just to enforce rules, but also to only audit your environment. This enables you to see the resources which are not compliant with your company policies instead of just blocking the deployment.
Have a look at my other blog posts about:
Why not just use RBAC?
Azure Policy is complementary to role-based access control (RBAC), and are both part of the overall Azure Governance tools.
There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.