How does Azure Policies in Enterprise-scale Landing Zone help?

Published Apr 14 2021 09:59 AM 3,471 Views

Policy-driven Governance is a cornerstone in Enterprise-scale Landing Zone (ESLZ!).  It's possible to codify corporate, industry or country specific governance requirements declaratively using Azure Policy. ESLZ provides 90+ custom policies which help in meeting most common corporate governance requirements with a single click.

 

Benefits of these 90+ custom policies is documented in detail.

 

Following table lists these policies and the governance requirements they help in enforcing.  

 

Custom Policy in ESLZ Benefit

Deny-PublicIP

Deny-Public-Endpoints-for-PaaS-Services*

Prevent Public IP based services 
Deploy-Diag-LogAnalytics**
Enforce audit and log information collection
Deploy-Sql-Security
Provide comprehensive security for SQL Databases 
Deploy-Sql-Tde
Encrypt SQL data at rest 
Deploy-Sql-SecurityAlertPolicies
Enforce alerts for suspicious activity 
Deploy-Sql-AuditingSettings
Enforce audit trail of operations 
Deploy-Sql-vulnerabilityAssessments
Enforce evaluation against proven best practices 
Append-KV-SoftDelete
Protect against intentional/unintentional secret deletion 
Deny-AppGW-Without-WAF
Enforce Web Application Firewall (WAF)
Deny-IP-forwarding
Prevent IP forwarding on VMs 
Deny-Private-DNS-Zones
Enforce centralized DNS record management 
Deny-Subnet-Without-Nsg
Enforce network traffic control 
Deploy-ASC-Standard
Detect and protect against security threats by using Azure Security Center 
Deploy-AzureBackup-on-VM
Protect against ransomware attacks and other data-loss related issues
Deploy-DDoSProtection
Protect against DDoS attacks 
Deploy-DNSZoneGroup-For-*-PrivateEndpoint***
Auto-provision Private Link/Endpoint with Private DNS Zone 
Deploy-FirewallPolicy
Centrally manage firewall rules 
Deploy-HUB
Deny-VNetPeering
Provision Hub and Spoke Network topology 
Deploy-LA-Config
Provision default configuration for Azure Monitor 
Deploy-Log-Analytics
Enable Log Storage and Querying 
Deploy-*-Arc-Monitoring
Provision logging for Azure-Arc enabled servers 
Deploy-Nsg-FlowLogs
Enforce Network Traffic Log collection 
Deploy-vWAN
Deploy-vHUB
Provision at-scale network connectivity solution 
Deploy-VM-Backup
Provision backup for Azure VMs 
Deploy-vNet
Provision connectivity between Virtual Networks (VNets) 
Deploy-Windows-DomainJoin
Enforce Windows VMs to join AD Domain 

 

Deny-Public-Endpoints-for-PaaS-Services Policy Initiative includes following policies which apply on specific Azure services.
 
  1.     Deny-PublicEndpoint-CosmosDB
  2.     Deny-PublicEndpoint-MariaDB
  3.     Deny-PublicEndpoint-MySQL
  4.     Deny-PublicEndpoint-PostgreSql
  5.     Deny-PublicEndpoint-KeyVault
  6.     Deny-PublicEndpoint-Sql
  7.     Deny-PublicEndpoint-Storage
  8.     Deny-PublicEndpoint-Aks
  
Deploy-Diag-LogAnalytics PolicySet helps capturing Logs and Metrics as shown below.
 
Policy Name Log Categories Metrics
Deploy-Diagnostics-AA JobLogs JobStreams DscNodeStatus AllMetrics
Deploy-Diagnostics-ACI   AllMetrics
Deploy-Diagnostics-ACR   AllMetrics
Deploy-Diagnostics-ActivityLog Administrative Security ServiceHealth Alert Recommendation Policy Autoscale ResourceHealth  
Deploy-Diagnostics-AKS kube-audit kube-apiserver kube-controller-manager kube-scheduler cluster-autoscaler AllMetrics
Deploy-Diagnostics-AnalysisService Engine Service AllMetrics
Deploy-Diagnostics-APIMgmt GatewayLogs Gateway Requests Capacity EventHub Events
Deploy-Diagnostics-ApplicationGateway ApplicationGatewayAccessLog ApplicationGatewayPerformanceLog ApplicationGatewayFirewallLog AllMetrics
Deploy-Diagnostics-Batch ServiceLog AllMetrics
Deploy-Diagnostics-CDNEndpoints CoreAnalytics  
Deploy-Diagnostics-CognitiveServices Audit RequestResponse AllMetrics
Deploy-Diagnostics-CosmosDB DataPlaneRequests MongoRequests QueryRuntimeStatistics Requests"
Deploy-Diagnostics-DataFactory ActivityRuns PipelineRuns TriggerRuns AllMetrics
Deploy-Diagnostics-DataLakeStore Audit Requests AllMetrics
Deploy-Diagnostics-DLAnalytics Audit Requests AllMetrics
Deploy-Diagnostics-EventGridSub   AllMetrics
Deploy-Diagnostics-EventGridTopic   AllMetrics
Deploy-Diagnostics-EventHub ArchiveLogs OperationalLogs AutoScaleLogs AllMetrics
Deploy-Diagnostics-ExpressRoute PeeringRouteLog AllMetrics
Deploy-Diagnostics-Firewall AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy AllMetrics
Deploy-Diagnostics-HDInsight   AllMetrics
Deploy-Diagnostics-iotHub Connections DeviceTelemetry C2DCommands DeviceIdentityOperations FileUploadOperations Routes D2CTwinOperations C2DTwinOperations TwinQueries JobsOperations DirectMethods E2EDiagnostics Configurations AllMetrics
Deploy-Diagnostics-KeyVault AuditEvent AllMetrics
Deploy-Diagnostics-LoadBalancer LoadBalancerAlertEvent LoadBalancerProbeHealthStatus AllMetrics
Deploy-Diagnostics-LogicAppsISE IntegrationAccountTrackingEvents  
Deploy-Diagnostics-LogicAppsWF WorkflowRuntime AllMetrics
Deploy-Diagnostics-MlWorkspace AmlComputeClusterEvent AmlComputeClusterNodeEvent AmlComputeJobEvent AmlComputeCpuGpuUtilization AmlRunStatusChangedEvent Run Model Quota Resource
Deploy-Diagnostics-MySQL MySqlSlowLogs AllMetrics
Deploy-Diagnostics-NetworkSecurityGroups NetworkSecurityGroupEvent NetworkSecurityGroupRuleCounter  
Deploy-Diagnostics-NIC   AllMetrics
Deploy-Diagnostics-PostgreSQL PostgreSQLLogs AllMetrics
Deploy-Diagnostics-PowerBIEmbedded Engine AllMetrics
Deploy-Diagnostics-PublicIP DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports AllMetrics
Deploy-Diagnostics-RecoveryVault CoreAzureBackup AddonAzureBackupAlerts AddonAzureBackupJobs AddonAzureBackupPolicy AddonAzureBackupProtectedInstance AddonAzureBackupStorage  
Deploy-Diagnostics-RedisCache   AllMetrics
Deploy-Diagnostics-Relay   AllMetrics
Deploy-Diagnostics-SearchServices OperationLogs AllMetrics
Deploy-Diagnostics-ServiceBus OperationalLogs AllMetrics
Deploy-Diagnostics-SignalR   AllMetrics
Deploy-Diagnostics-SQLDBs SQLInsights AutomaticTuning QueryStoreRuntimeStatistics QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks SQLSecurityAuditEvents AllMetrics
Deploy-Diagnostics-SQLElasticPools   AllMetrics
Deploy-Diagnostics-SQLMI ResourceUsageStats SQLSecurityAuditEvents  
Deploy-Diagnostics-StreamAnalytics Execution Authoring AllMetrics
Deploy-Diagnostics-TimeSeriesInsights   AllMetrics
Deploy-Diagnostics-TrafficManager ProbeHealthStatusEvents AllMetrics
Deploy-Diagnostics-VirtualNetwork VMProtectionAlerts AllMetrics
Deploy-Diagnostics-VM   AllMetrics
Deploy-Diagnostics-VMSS   AllMetrics
Deploy-Diagnostics-VNetGW GatewayDiagnosticLog IKEDiagnosticLog P2SDiagnosticLog RouteDiagnosticLog RouteDiagnosticLog TunnelDiagnosticLog AllMetrics
Deploy-Diagnostics-WebServerFarm   AllMetrics
Deploy-Diagnostics-Website   AllMetrics
 
PolicySet Deploy-DNSZoneGroup-For-*-PrivateEndpoint targets Azure services as shown below.
 
Policy Name Azure Service
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Azure Storage Blob
Deploy-DNSZoneGroup-For-File-PrivateEndpoint
Azure Storage File
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint
Azure Storage Queue
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint
Azure Storage Table
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint
Azure KeyVault
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint
Azure SQL Database
 
 
1 Comment
Co-Authors
Version history
Last update:
‎Apr 14 2021 01:50 AM
Updated by: