Implementing Governance for your Azure Cloud Using Azure Policy

Azure Policy is a service that lets you create, assign, and manage policies that govern Azure resources. Policies are rules that define the desired state and configuration of resources, such as location, size, tags, and properties. Policies can also audit the compliance status of resources and report on violations.

Azure Policy helps you ensure that your resources adhere to the best practices and standards you define for your organization. You can also use Azure Policy to implement cost management, security, and compliance for your cloud environment.

Azure Policy works by evaluating resources against policies assigned to them. You can assign policies at a variety of levels, such as management group, subscription, resource group, or resource level. You can also create policy initiatives, which are collections of policies that work together to achieve a specific goal.

When assigning a policy, you can choose whether to apply it in audit mode or enforcement mode. Audit mode only monitors and reports on the compliance status of resources, while enforcement mode prevents noncompliant actions from occurring. For example, you can create a policy that restricts the locations allowed for a resource and assign it in enforcement mode. This prevents users from creating or moving resources to locations not allowed by the policy.

Azure Policy evaluates resources periodically and whenever resources or policies change. You can view the compliance status of your resources and policies in the Azure portal, or use the Azure Policy API to integrate with other tools and services. You can also use Azure Policy to automatically or manually enforce desired configurations to remediate noncompliant resources.

Azure Policy is a powerful tool for cloud governance that lets you define and enforce rules and standards that your resources must follow. With Azure Policy, you can:

– Achieve consistency and compliance across your cloud environment by ensuring resources are organized according to policy.

– Reduce costs and optimize resource utilization by limiting the types and sizes of resources that can be created or used.

– Strengthen security and reduce risk by limiting access to resources and the actions that can be performed.

– Meet regulatory and legal requirements by adhering to policies that align with industry standards and frameworks applicable to your organization.

Azure Policy is a core component of the Azure governance methodology, providing a comprehensive approach to managing cloud resources. Using Azure Policy in conjunction with other services such as Azure Management Groups, Azure Blueprints, and Azure Resource Graph, you can achieve effective and efficient cloud governance for your organization.

• Apply tags and their values: This policy applies the required tags and their values ​​to resource groups or subscriptions.

• Allowed Locations: This policy allows you to restrict the locations that your organization can specify when deploying resources.

• Audit VMs not using managed disks: This policy audits all virtual machines that are not configured with managed disks, which is the recommended disk storage for virtual machines in Azure.

• Allowed Resource Types: This policy allows you to specify the types of resources that your organization can deploy. For example, you can allow only virtual machines and storage accounts, and deny all other resource types.

• Audit Insecure SSL Protocols: This policy audits the use of SSL protocols that are considered insecure, such as SSLv2 and SSLv3, and recommends the use of the TLS protocol instead.

What if I don’t see the policy I need to define my rules? If so, you can create one: Custom Policy.

• To create a custom Azure policy, you must define a policy definition and a policy assignment.
• A policy definition is a JSON file that specifies the logic and effects of the policy.
• A policy definition consists of the following elements:
  • Metadata: Information about the policy, such as name, description, category, mode, etc.
  • Parameters: Optional inputs that can be used to customize the policy.
  • Policy rules: The core logic of a policy that defines the conditions and actions for evaluating resources.
  • A policy assignment is an association between a policy definition and a scope (subscription, resource group, or resource).
  • Policy assignments can also specify parameters, exclusions, and enforcement modes for the policy.
• To create a custom Azure policy, you can use one of the following methods:
• Azure Portal: A graphical user interface for creating and managing policies.
• Azure PowerShell: A command-line tool that lets you create and manage policies using scripts.
• Azure CLI: A cross-platform command-line tool that lets you create and manage policies using commands.
• Azure Resource Manager templates: A declarative way to define and deploy policies using JSON files.

• In this example, we’ll create a custom Azure policy that denies the creation of public IP addresses in a resource group.
• Create policy definitions and policy assignments using the Azure portal.
• Here are the steps to follow:
• Sign in to the Azure portal and navigate to the Policy service.
• Click on Definitions, then click + Policy Definition.
• Enter a name, description, and category for the policy definition.
• Copy and paste the following JSON code into the Policy Rules section.
• {
• “If”: {
• “all”: [
• {
• “field”: “type”,
• “equals”: “Microsoft.Network/publicIPAddresses”
• },
• {
• “field”: “Microsoft.Network/publicIPAddresses/publicIPAllocationMethod”,
• “equals”: “Dynamic”
• }
• ]
• },
• “Then”: {
• “Effect”: “Reject”
• }
• }
• This policy rule denies the creation of public IP addresses using dynamic allocation methods.
• Click Save to create the policy definition.
• Click Assignments, then click + Assign Policy.
• Select the scope of the policy assignment, that is, the resource groups to which you want to apply the policy.
• Select the policy definition you just created from the list of available policies.
• Enter a name and description for the policy assignment.
• Click Review + Create, and then click Create to create a policy assignment.
• The policy is now assigned to a resource group and will be evaluated for new or existing resources within its scope.
• You can view the compliance status and details of policy assignments in the Policy Service.

Below are steps to create a policy to identify noncompliant resources for auditing purposes, but in certain situations you may want to apply Azure Policy as described in the link below.

Tutorial: Building policies to enforce compliance – Azure Policy | Microsoft Learn

1. Create a policy assignment
2. Enter the following in the search box: policy And explore assignment

1. Choose Policy Assignment at Policy Assignment window glass.

1. Below Available definitionsChoose the right policy
2. Select the correct scope for the policy, such as a subscription or resource group. You can also determine which resources are excluded from the policy application. Exclusions window.

1. Decide what you want enforce This policy (under Policy Enforcement – ​​leave it enabled or not – To cause a disability In our case now, we will allow compliance assessment reports, as we only need to know the network interface that has the public IP assigned to it.
2. d) Click Next. Specify a managed ID. improvement (not needed in our case)

move Noncompliance message

1. Click to complete the process. Review + Create > make

2. View noncompliant resources

1. at policy Enter the policy name in the search box

1. Clicking sound View Compliance

1. Observe non-compliant resources

You may need to implement and amend policies as your needs change.

Follow more blogs covering options for how to fix this.

The sample scripts are not supported by any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, the authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including but not limited to damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.