Policy Management with Azure

Introduction

Every organisation has a set of regulations and compliances that it must comply with. Some of these are regulatory and are imposed by external organisations; for example, GDPR legislation, while others may vary from sector to sector. The regulations imposed on financial organisations will be different from those imposed on manufacturers and if an organisation wants to achieve certification; for example, ISO certification, then there’s a set of regulations that need to be complied with. Apart from external regulations and compliances, organisations will also have their own policies to comply with. "Azure Policy" is a service that helps organisations comply and manage policy and procedures to meet regulatory requirements.

What Does It Do?

Azure Policy makes it easier for companies to comply with policies and regulations, whether they’re externally imposed or generated internally. Azure Policy can help you to design, create, assign and manage policies. Also, it runs evaluations of your resources and scans for breaches of your policies.

Creating Policy Definitions

This is the first thing you’ll have to do. Every policy definition includes conditions under which it’s enforced. If the conditions are met, then there is an effect. You can create your own policies, but Azure Policy has a number of built-in policies including:

• Require SQL Server 12.0 – This is to ensure that all users use this version of the SQL server
• Allowed location – This policy is a part of enforcing geo-location compliance requirements
• Allowed resource type – This policy lists which are the allowed resource types and will deny access to any resource type not on the list
• Not allowed resource type – With this policy, you can specify what types of resources your organisation is not allowed to deploy.

Any of these policies can be implemented using PowerShell, Azure CLI or Azure portal.

Assigning Policy

Once a policy is defined, it needs to be assigned to take place within a specific scope before it can be implemented. A scope is all the subscriptions, management groups or resource groups that a policy definition is assigned to. Also, policy assignments are inherited by all child resources; for example, if a policy is assigned to a resource group, then it is applied to all the resources in the resource group.

Policy Parameters

Parameters can be defined when creating a policy definition in order to make the definition more generic. A relatively generic definition can be used in a number of different scenarios, by passing in different values when assigning the policy definition. Each time a parameter is defined, it’s given a name and a value. The value can then be changed when the policy is assigned to a different area.

Defining an Initiative

A collection of policy definitions that are working towards one overall goal is known as an initiative definition. Managing and assigning policy definitions is simplified by grouping a set of policies together in an initiative definition. Like a policy definition, a initiative definition is assigned to a specific scope and it also has parameters which can be defined.

Policy Management Recommendations

When you start creating policy definitions, it’s better to start with an audit effect instead of a deny effect. This will allow you to keep track of the impact of your policy definitions on your environment. Using a deny effect may have a negative impact on any automated tasks that you already have in place.

Try to remember to create definitions at higher levels; for example, at the management group of subscription level. Then, assignment can be carried out at the child level.

Policy and procedure management is becoming very important due to increasing focus on data privacy and Azure policy makes it easy to implement - it's worth checking out.

History

• 24^th December, 2018 - Version 1