Keeping control of your Azure environment and your Azure tenant can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. For example, you can limit the deployment to specific virtual machines types and sizes, or block different Azure regions from being used. You can still give developers and IT Pros access to the Azure environment and subscriptions but always stay in control.
- Real-time policy enforcement and evaluation
- Cloud policy management and security at scale
- Automated remediation of existing resources
- Comprehensive compliance view of all your resources across your Azure subscriptions
You use Azure Policy not just to enforce rules, but also to only audit your environment. This enables you to see the resources which are not compliant with your company policies instead of just blocking the deployment.
Have a look at my other blog posts about:
Cloud-Native Governance
Why not just use RBAC?
Azure Policy is complementary to role-based access control (RBAC), and are both part of the overall Azure Governance tools.
There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.
Understanding Azure Policy
Azure will provide you with a couple of built-in policies, but you can also create your custom policies. To implement Azure Policy in your environment, you need to understand a couple of keys artifacts.
- Policy definition – Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met. You can read more about Policy definitions here, and you can find a list of built-in policy definitions on Microsoft Docs.
- Policy assignment – A policy assignment is a policy definition that has been assigned to take place within a specific scope. This can be a management group, subscription, resource group, or even a particular resource. You can read more about assignments here.
- Policy parameters – You can define parameters when creating a policy definition to make it more generic. Then you can reuse that policy definition for different scenarios. You can read more about the parameters here.
- Initiative definition – An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions by grouping them. You can read more about Initiative definitions here, and you can find a list of built-in Azure Policy initiative definitions on Microsoft Docs.
- Initiative assignment – Similar to policy assignments, an initiative assignment is an initiative definition assigned to a specific scope. You can read more about Initiative assignments here.
- Initiative parameters – Similar to policy parameters, initiative parameters help simplify initiative management by reducing redundancy. You can read more about Initiative parameters here.
How to assign an Azure Policy and initiative
To assign a policy or initiative, you need to go to Azure Policy in the Azure portal. Here you can click on Assignment and then on assign policy.
Assign Azure Policy
You will need to set the scope, which can be on a management group, subscription, resource group, or resource level.
Scope
Now you select the policy definition you want to implement.
Policy Definition
Depending on the policy definition, you will need to set parameters and some additional settings. You can also change the name of the assignment and enter a description. After you clicked on Review + create, it will take a couple of minutes, and the assignment will show up in the compliance view as compliant or non-compliant.
You can also use the Azure CLI or Azure PowerShell to assign policies and definitions. If you are running Azure DevOps, you can also apply policies in a CI/CD pipeline and take advantage of the native integration with Azure DevOps to surface policy violations before deployment and policy compliance assessments in the cloud after deployment.
Quick tip if you are using Azure CLI or Azure PowerShell, make sure you have a look at the Azure Cloud Shell.
Audit
If you want to get an overview of your compliance state, you can go to the Compliance page, and you will get an overview of the different assignments and their compliance state.
Compliance View
Remediation
If you have non-compliant policies, you can either go and fix it manually or in some cases, you can use a remediation task. Which will change the setting to your preferred state.
Author custom Azure Policies
Microsoft Azure provides you with built-in definitions. However, you can also author your own policy definition if you need to. You can read more about writing your own customs policies in JSON here. You can also use a Visual Studio Code extension to work on policies.
Visual Studio Code Azure Policy Extension
Pricing
Azure Policy is offered at no additional cost to Azure subscribers.
I hope this gives you an overview of how you can keep control of your Azure environment using Azure Policy. If you want to learn more, check out the documentation here. And if you have any questions, please let me know in the comments.
Tags: Assignment, Azure, Azure Governance, Azure Policy, Control, definition, Governance, Initiative, Microsoft, Parameters, Policies, Policy Last modified: March 15, 2020
[…] Azure Policy […]
Hi Thomas,
Great Site, quick question about azure policy enforcing public IP ban on NICs. We have one at Management Group, there is a number of subscriptions under it and so it blocks users of subscriptions from creating VM’s with public IP’s. Can still create a stand alone public IP but cannot associate it with any NIC, blocked by policy.
But sometimes you need to create VM’s with public IP? What way do you have for workaround? e.g. do you exclude a Resource group and add NIC/public IPs in there?
Hi Stephen
Yes, so the way I would to this would be with exceptions. Depending on the use case on a resource group, subscription, or even resource. Whatever fits your case best.
Hi Thomas,
How is redundancy or Continuous availability planned for Azure policy.
Like whats the chances of it failing ?
Understand , Azure Policy is a free service, therefore, it does not have a financially backed SLA.
for say – If I have a policy restricting my resources only to be hosted with in a specific region , and in case the policy ensure that restriction is failing – there are chances we could be able to create resources anywhere by passing that ?