Using Azure Policy to Enforce Corporate Standards
Control your Azure resource costs and usage without all the usual time-consuming management work.
Azure Policy allows administrators to impose rules and corporate standards over your Azure resources, which is excellent for managing compliance. You can choose to use pre-made policies as a starting point, or you can create your own custom policies if you feel like something is lacking from the pre-made options.
It’s best to try and use the pre-made policies as much as possible initially before you start looking at custom ones. This is due to the added complexity and moving parts that can come with custom policies, which can overload your IT admins.
Management groups can also have multiple policies added, which can help you achieve better structural efficiency and influence for large implementations.
Table of Contents:
1. Azure Policy overview
2. Policy application to Azure resource groups
3. Testing policy effects
1. Azure Policy overview
To start off, select Policy from the dashboard to view available policies. This view shows the usual navigation and highlights. Select Definitions to view current policies. You can scope the view based on management group or subscription, which is useful when you have hundreds of policies.
Policies have two types — initiatives and policies. Initiatives are groups of policy definitions, whereas policies are singular policy definitions.
2. Policy application to Azure resource groups
Say you create an empty resource group and name it test-compliance. How can you apply an Azure Policy directly to this resource group? And how will it affect resources that you’ll provision within this resource group?
1. Click Assign under Azure Policy. This allows us to start implementing the policy to our target.
2. Define a scope for the policy’s assignments. This can be a management groups, a resource group or a subscription. Here, you can select the test-compliance resource group as well as a management group and Azure subscription of your choosing.
3. Specify possible executions. You can exempt specific resources if, say, you have a resource group with some resources in it already. This is optional though, and you can leave it blank for now.
4. Specify a name and value for a tag, as the policy needs a tag in order to be specified.
5. Click Assign once completed. It can sometimes take up to 30 minutes for the new setting to be activated, although this depends on the complexity of the management group structure and policy definitions.
3. Testing policy effects
When you want to test a policy’s effect, create a new Azure resource within the test-compliance resource group. If you created a new virtual machine and filled out all relevant setting excluding Tags, Azure Policy kicks in when final validation is being undertaken.
You may find that the validation failed, details show that a tag and value are needed. Once a tag and its value have been added, validation passes. There can be a maximum of 500 policy definitions per subscription.
In Azure Policy, under Compliance, you can see the total compliance of all policies as well as their application and affect to your subscriptions, management groups and resources. But what happens when a subscription has resources that aren’t compliant? Well, by default, nothing. Many subscriptions have resources already implemented before policies were applied. So, when policies are applied later through management groups or directly with Azure Policy, those resources just become non-compliant. This is a common occurrence.
Under the Compliance tab, there are non-compliant collections you can click on and review the cause of non-compliance. Through this tab, you can also respond to these finding by reevaluating the initial policy assignment, removing one or maybe reworking with the resources such that they become compliant.
CloudClarity can help maintain compliance in your cloud environment. For more information, visit https://portal.cloudclarity.app/home/compliance
