Azure Policies for Automating Azure Governance - Choosing Policies
Published Jan 26 2023 02:00 AM 9,090 Views
Microsoft

Time and time again, many people get that go ahead for cloud but don't want to unleash everyone into the environment.  This is with good understanding.  Without policies and governance in place, cloud spend can go unmonitored or resources deployed not following your company's standards. Getting a good standard in place with Azure Policy can make sure you and your team keep an organized Azure environment in the short term and long term as the footprint grows. Security should always be first of mind as well.

 

Simplicity is key in establishing your definitions and making sure they align to your business needs.  Get stakeholders involved and start with some fundamental policies to get established.

 

Below are common business concerns:

 

Risk Description Indicators Resolution
Financial accuracy If resources are deployed in Azure and there is no consistent metadata strategy, it will be difficult to appropriately map costs back through the CFO office. Resources exist with no tagging metadata Create a policy statement and enforce standards.
Data location Some requirements require data sovereignty and for this use case data must remain in the U.S. Resources can be deployed to various regions outside of the US  by default. Create a policy for Azure regions.
Unnecessary spending Resources provisioned that are no longer utilized or were not properly de-provisioned during development periods introduce waste to the business. In addition, over provisioning resources creates additional unneeded costs. Resources underutilized or identified as over provisioned Create policy statement and enforce periodic reviews for “waste”. 
Management inefficiencies

Inconsistent naming or tagging of resources can make it difficult for IT support teams to troubleshoot incidents, as well as support day to day requests from impacting application teams. Ensuring a consistent naming and tagging standard helps IT to respond more quickly. 

X% of resources do not have a compliant naming or tagging structure in place  Create policy statement and enforce via automation.
Business interruption

Established SLAs are needed to ensure that systems are built in compliance with business requirements. Systems should be designed around SLAs and investigated if they are not meeting them.  

Critical systems are experiencing less than 99.95% uptime  Create policy statement for production systems.

 

Now what policies can we use to address these concerns?  Right away three come to mind - Allow specific VM sizes, allow specific resource regions and block resource types.

 

Built in Azure Policies

 

Azure Policy Description Allowed Options
Allowed virtual machine size SKUS Create an Azure policy JSON template to limit the instance types that can be created in Azure D Series instances of all types. Fe series all types
Allowed locations Control the physical location where resources can be deployed Only allow West US2, Central US and East US
Not allowed resource types Specify resource types that your organization cannot deploy.

Do not allow SQL Managed Instances

*microsoft.sql/managedinstances

 

 

Other built in polices to consider in Azure

 

Policy Description Decision Values
Storage accounts should be limited by allowed SKUs Restrict the set of storage account SKUs that your organization can deploy. Do not allow Geo-Redundant storage only Local-Redundant Standard_LRS, Premium_LRS
Storage accounts should have infrastructure encryption. Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. For compliance storage accounts will be encrypted No parameters needed for this
Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. Require cost center tags for chargeback Required Tag Name: Cost Center
Required Tag Value: 1984
Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Do not expose public network to managed disk resource No parameters needed for this
Only approved VM extensions should be installed. This policy governs the virtual machine extensions that are not approved. Approve Disk encryption and Windows Security Center agent 
AzureDiskEncryption
WindowsAgent.AzureSecurityCenter
Audit machines with insecure password security settings This initiative deploys the policy requirements and audits machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol This is actually an initiative containing policies for maximum password age, reusing previous passwords etc NOTE: it is important when assigning these policies to use the Initiative.  The DeployIfNotExists policy loads the VM extension, which is a requirement for Audit/AuditIfNotExists policies in Guest Configuration to work properly.

 

 

These again are just policies commonly deployed in the wild. Your requirements will vary.  Once a standard is agreed upon and Azure Polices are defined.  You can make sure your environment has the policies enforced and compliant.

 

Note - Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not.

 

We will dive deeper into policy inheritance, grouping and automation in the next post.  

 

Co-Authors
Version history
Last update:
‎Feb 02 2023 11:12 AM
Updated by: