Understanding Azure Policy: Usage and Practical Examples
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, helping to ensure your resources stay compliant with your corporate standards and service level agreements.
Azure Policy performs resource evaluation and enforces organizational compliance. You can monitor compliance data from Azure Policy with Azure Monitor and Azure Activity Log, providing a complete view of the compliance state for a resource or a group of resources.
Defining Azure Policy
An Azure policy is a default allow and explicit deny system. This means that unless there is a policy denying a certain action, it is allowed. If a resource violates a policy, it’s marked as non-compliant.
A policy definition expresses what to evaluate and what action to take. It consists of the following components:
- Parameters: These are configurable values that allow the policy definition to be reused.
- Policy rule: This is the logic that determines if a resource is compliant or not. It includes a logical evaluation of resource properties (if-then conditions).
- Effect: The action that will occur if a resource is non-compliant.
There are several effects that you can use in Azure Policy:
- Audit: This effect logs the non-compliant resources for auditing purposes.
- Deny: This effect denies the creation or updating of non-compliant resources.
- DeployIfNotExists: This effect deploys a related resource if it does not exist.
- Disabled: This effect disables the policy.
Implementing Azure Policy
Now let’s look at how you might use Azure Policy in practice. Suppose you want to enforce a rule that all storage accounts in your Azure environment must have secure transfer enabled.
First, you would create a policy definition with this requirement. Here is a JSON representation of this policy:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "false"
}
]
},
"then": {
"effect": "deny"
}
}
This policy definition specifies that if a storage account is found with thesupportsHttpsTrafficOnly
property set to false, the effect of deny
is applied, which prevents the creation or update of the storage account.
Once the policy is defined, it must be assigned. The scope of a policy assignment determines what resources or grouping of resources the policy applies to. The policy assignment can be scoped to a management group, a subscription, a resource group, or a single resource.
For instance, to assign the policy to the resource group ‘StorageAccounts’, we would use the following PowerShell command:
New-AzPolicyAssignment -Name 'SecureTransferRequired' -Scope '/subscriptions/{guid}/resourceGroups/StorageAccounts' -PolicyDefinition 'Secure Transfer Required'
After assignment, Azure Policy will evaluate the resources within the scope. Any new or updated resources will also be evaluated against the policy. If a resource is non-compliant, the specified effect will be applied.
Monitoring Compliance
Azure Policy integrates with Azure Monitor and Azure Activity Log, allowing you to view compliance data and track changes to a policy’s compliance state.
In the Azure portal, the policy compliance dashboard provides a snapshot of the compliance state for all assignments at the selected scope. The compliance details page provides a list of all resources and their compliance state for each policy assignment.
Conclusion
Azure Policy is a powerful tool for enforcing organizational standards and assessing compliance at scale. Through its integration with other Azure services, it provides a comprehensive solution for resource management and compliance monitoring. Whether you need to enforce specific requirements or audit your resources for compliance, Azure Policy provides the tools you need to manage your resources effectively.