cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How does Azure Policies in Enterprise-scale Landing Zone help?
By
Mahesh Kshirsagar
Published Apr 14 2021 09:59 AM 11.2K Views
Mahesh Kshirsagar
Microsoft
‎Apr 14 2021 09:59 AM

How does Azure Policies in Enterprise-scale Landing Zone help?

‎Apr 14 2021 09:59 AM

scope-levels.png

 

Policy-driven Governance is a cornerstone in Enterprise-scale Landing Zone (ESLZ!).  It's possible to codify corporate, industry or country specific governance requirements declaratively using Azure Policy. ESLZ provides 90+ custom policies which help in meeting most common corporate governance requirements with a single click.

 

Benefits of these 90+ custom policies is documented in detail.

 

Following table lists these policies and the governance requirements they help in enforcing.  

 

Custom Policy in ESLZ Benefit

Deny-PublicIP

Deny-Public-Endpoints-for-PaaS-Services*

 Prevent Public IP based services 
Deploy-Diag-LogAnalytics**
 Enforce audit and log information collection
Deploy-Sql-Security
 Provide comprehensive security for SQL Databases 
Deploy-Sql-Tde
 Encrypt SQL data at rest 
Deploy-Sql-SecurityAlertPolicies
 Enforce alerts for suspicious activity 
Deploy-Sql-AuditingSettings
 Enforce audit trail of operations 
Deploy-Sql-vulnerabilityAssessments
 Enforce evaluation against proven best practices 
Append-KV-SoftDelete
 Protect against intentional/unintentional secret deletion 
Deny-AppGW-Without-WAF
 Enforce Web Application Firewall (WAF)
Deny-IP-forwarding
 Prevent IP forwarding on VMs 
Deny-Private-DNS-Zones
 Enforce centralized DNS record management 
Deny-Subnet-Without-Nsg
 Enforce network traffic control 
Deploy-ASC-Standard
 Detect and protect against security threats by using Azure Security Center 
Deploy-AzureBackup-on-VM
 Protect against ransomware attacks and other data-loss related issues
Deploy-DDoSProtection
 Protect against DDoS attacks 
Deploy-DNSZoneGroup-For-*-PrivateEndpoint***
 Auto-provision Private Link/Endpoint with Private DNS Zone 
Deploy-FirewallPolicy
 Centrally manage firewall rules 
Deploy-HUB
Deny-VNetPeering
 Provision Hub and Spoke Network topology 
Deploy-LA-Config
 Provision default configuration for Azure Monitor 
Deploy-Log-Analytics
 Enable Log Storage and Querying 
Deploy-*-Arc-Monitoring
 Provision logging for Azure-Arc enabled servers 
Deploy-Nsg-FlowLogs
 Enforce Network Traffic Log collection 
Deploy-vWAN
Deploy-vHUB
 Provision at-scale network connectivity solution 
Deploy-VM-Backup
 Provision backup for Azure VMs 
Deploy-vNet
 Provision connectivity between Virtual Networks (VNets) 
Deploy-Windows-DomainJoin
 Enforce Windows VMs to join AD Domain 

 

Deny-Public-Endpoints-for-PaaS-Services Policy Initiative includes following policies which apply on specific Azure services.
 
  1.     Deny-PublicEndpoint-CosmosDB
  2.     Deny-PublicEndpoint-MariaDB
  3.     Deny-PublicEndpoint-MySQL
  4.     Deny-PublicEndpoint-PostgreSql
  5.     Deny-PublicEndpoint-KeyVault
  6.     Deny-PublicEndpoint-Sql
  7.     Deny-PublicEndpoint-Storage
  8.     Deny-PublicEndpoint-Aks
  
Deploy-Diag-LogAnalytics PolicySet helps capturing Logs and Metrics as shown below.
 
Policy Name Log Categories Metrics
Deploy-Diagnostics-AA JobLogs JobStreams DscNodeStatus AllMetrics
Deploy-Diagnostics-ACI   AllMetrics
Deploy-Diagnostics-ACR   AllMetrics
Deploy-Diagnostics-ActivityLog Administrative Security ServiceHealth Alert Recommendation Policy Autoscale ResourceHealth  
Deploy-Diagnostics-AKS kube-audit kube-apiserver kube-controller-manager kube-scheduler cluster-autoscaler AllMetrics
Deploy-Diagnostics-AnalysisService Engine Service AllMetrics
Deploy-Diagnostics-APIMgmt GatewayLogs Gateway Requests Capacity EventHub Events
Deploy-Diagnostics-ApplicationGateway ApplicationGatewayAccessLog ApplicationGatewayPerformanceLog ApplicationGatewayFirewallLog AllMetrics
Deploy-Diagnostics-Batch ServiceLog AllMetrics
Deploy-Diagnostics-CDNEndpoints CoreAnalytics  
Deploy-Diagnostics-CognitiveServices Audit RequestResponse AllMetrics
Deploy-Diagnostics-CosmosDB DataPlaneRequests MongoRequests QueryRuntimeStatistics Requests"
Deploy-Diagnostics-DataFactory ActivityRuns PipelineRuns TriggerRuns AllMetrics
Deploy-Diagnostics-DataLakeStore Audit Requests AllMetrics
Deploy-Diagnostics-DLAnalytics Audit Requests AllMetrics
Deploy-Diagnostics-EventGridSub   AllMetrics
Deploy-Diagnostics-EventGridTopic   AllMetrics
Deploy-Diagnostics-EventHub ArchiveLogs OperationalLogs AutoScaleLogs AllMetrics
Deploy-Diagnostics-ExpressRoute PeeringRouteLog AllMetrics
Deploy-Diagnostics-Firewall AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy AllMetrics
Deploy-Diagnostics-HDInsight   AllMetrics
Deploy-Diagnostics-iotHub Connections DeviceTelemetry C2DCommands DeviceIdentityOperations FileUploadOperations Routes D2CTwinOperations C2DTwinOperations TwinQueries JobsOperations DirectMethods E2EDiagnostics Configurations AllMetrics
Deploy-Diagnostics-KeyVault AuditEvent AllMetrics
Deploy-Diagnostics-LoadBalancer LoadBalancerAlertEvent LoadBalancerProbeHealthStatus AllMetrics
Deploy-Diagnostics-LogicAppsISE IntegrationAccountTrackingEvents  
Deploy-Diagnostics-LogicAppsWF WorkflowRuntime AllMetrics
Deploy-Diagnostics-MlWorkspace AmlComputeClusterEvent AmlComputeClusterNodeEvent AmlComputeJobEvent AmlComputeCpuGpuUtilization AmlRunStatusChangedEvent Run Model Quota Resource
Deploy-Diagnostics-MySQL MySqlSlowLogs AllMetrics
Deploy-Diagnostics-NetworkSecurityGroups NetworkSecurityGroupEvent NetworkSecurityGroupRuleCounter  
Deploy-Diagnostics-NIC   AllMetrics
Deploy-Diagnostics-PostgreSQL PostgreSQLLogs AllMetrics
Deploy-Diagnostics-PowerBIEmbedded Engine AllMetrics
Deploy-Diagnostics-PublicIP DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports AllMetrics
Deploy-Diagnostics-RecoveryVault CoreAzureBackup AddonAzureBackupAlerts AddonAzureBackupJobs AddonAzureBackupPolicy AddonAzureBackupProtectedInstance AddonAzureBackupStorage  
Deploy-Diagnostics-RedisCache   AllMetrics
Deploy-Diagnostics-Relay   AllMetrics
Deploy-Diagnostics-SearchServices OperationLogs AllMetrics
Deploy-Diagnostics-ServiceBus OperationalLogs AllMetrics
Deploy-Diagnostics-SignalR   AllMetrics
Deploy-Diagnostics-SQLDBs SQLInsights AutomaticTuning QueryStoreRuntimeStatistics QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks SQLSecurityAuditEvents AllMetrics
Deploy-Diagnostics-SQLElasticPools   AllMetrics
Deploy-Diagnostics-SQLMI ResourceUsageStats SQLSecurityAuditEvents  
Deploy-Diagnostics-StreamAnalytics Execution Authoring AllMetrics
Deploy-Diagnostics-TimeSeriesInsights   AllMetrics
Deploy-Diagnostics-TrafficManager ProbeHealthStatusEvents AllMetrics
Deploy-Diagnostics-VirtualNetwork VMProtectionAlerts AllMetrics
Deploy-Diagnostics-VM   AllMetrics
Deploy-Diagnostics-VMSS   AllMetrics
Deploy-Diagnostics-VNetGW GatewayDiagnosticLog IKEDiagnosticLog P2SDiagnosticLog RouteDiagnosticLog RouteDiagnosticLog TunnelDiagnosticLog AllMetrics
Deploy-Diagnostics-WebServerFarm   AllMetrics
Deploy-Diagnostics-Website   AllMetrics
 
PolicySet Deploy-DNSZoneGroup-For-*-PrivateEndpoint targets Azure services as shown below.
 
Policy Name Azure Service
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Azure Storage Blob
Deploy-DNSZoneGroup-For-File-PrivateEndpoint
 Azure Storage File
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint
 Azure Storage Queue
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint
 Azure Storage Table
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint
 Azure KeyVault
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint
 Azure SQL Database
 
 
3 Comments
Co-Authors
Version history
Last update:
‎Apr 04 2022 01:41 PM
Updated by:
Labels