Author – Pushpak Kale, Cloud Engineer
Azure Policy
Azure Policy is a service in Azure which enables us to create polices which enforce and control the properties of a resource. Azure Policy helps you manage and prevent IT issues with policy definitions that enforce rules and effects for your resources. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Azure Policies Components
- Policy definition is the conditions which we want controlled. We have several built-in policies definitions that are available by default as well as we can also create custom policy definitions.
- Policy assignment is the scope of what the policy definition can take effect around.
- Policy parameters are used by reducing the number of policy definitions we must create.
- Initiative Definition is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Azure initiatives simplify management of policies by grouping a set of policies together as one single item.
Policy Effects
Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.
These effects are currently supported in a policy definition:
- Append
- Audit
- AuditIfNotExists
- Deny
- DeployIfNotExists
- Disabled
- Modify
Remediation
- Azure policy also provides the facility of Remediation for Non-complaint resources according to policy.
- Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.
Assignment Scope of Azure Policy
- Subscription – Only resources within that subscription can be assigned the policy definition.
- Management group – Only resources within child management groups and child subscriptions can be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.
Policy Types
- Policy Definitions
Each policy definition is a JSON object. Policy’s core component is in its condition which defines the effect and enforcement type on any resource that’s targeted by the policy. There are a quiet a handful of Built-In policies that you should use. Find the list of Built-In below.
- Initiative Definitions
An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions, by grouping a set of policies as one single item.
Below are the steps for creating a initiative definition :
If you wish to create a custom policy definition to use as an initiative, follow the steps given below.
Pricing
There are no charges for using Azure Policy on Azure resources. The charges will apply if you use azure policy for ARC resources.
Recommendation for Managing Policies
Start with an audit effect, instead of a deny effect, to track the impact of your policy definition on the resources in your environment. If you have scripts already in place to auto scale your applications, setting a deny effect may hinder such automation tasks already in place.
Create and assign initiative definitions even for a single policy definition. For example, you have policy definition policyDefA and create it under initiative definition initiativeDefC. If you create another policy definition later for policyDefB with goals like policyDefA, you can add it under initiativeDefC and track them together.
Once you’ve created an initiative assignment, policy definitions added to the initiative also become part of that initiative’s assignments.
