how to identify the right Azure policies to fulfill the regulatory requirements of the organization and still keep the life of the cloud developers as easy as possible.
In this article, I would like to show you the possibilities of Azure policies and how they can be structured.
first of all, what is Azure Policy and which goals can you reach with using of these Policies:
Governance validates that your organization can achieve its goals through effective and efficient use of IT. It meets this need by creating clarity between business goals and IT projects.
Does your company experience a significant number of IT issues that never seem to get resolved? Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. This strategic need is where Azure Policy comes in.
Source https://docs.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have the policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. Later in this documentation, we’ll go over more details on how to create and implement policies with Azure Policy.
my approach to structuring the Azure policies:
- verify your Governance, Compliance, and Security requirements from the first part of this series
- identify which type of effects (auditing or enforcing) make sense four your organization
- group similar policies to Initiative even it’s only one, use the initiatives
- start with auditing from top-down and enforcing from bottom-up
- verify which initiatives/policies should be assigned over the governance structure within the entire Azure Tenant and which one should be placed as part of a Blueprint. Azure Blueprints can also contain additional Initiatives/policies assignment.
Here is one of the possible approach to structure the azure policies:
| Initiative Name | Description | Stored location |
| location | This initiative contains Azure Policies to set up which Azure Regions are for resource provisioning allowed or not. | Root management group |
| tagging | This initiative contains Azure Policies for tagging the resources and resource groups | Root management group |
| monitoring | This initiative contains Azure policies to monitor the entire Azure AD tenant in different levels like tenant, subscription and resources | Root management group |
| Network Security | This initiative contains Azure policies to ensure security on network level | Root management group |
| IaaS | This initiative contains Azure policies for IaaS workload like Virtual Machines | Root management group |
Policy Initiative – Location
| Policy | Description | Type | Parameter |
| Allowed locations | Name of Location | Deny | West Europe, North Europe |
| Allowed locations for resource group | Name of Location | Deny | West Europe, North Europe |
Policy Initiative – Tagging
| Policy | Description | Type | Parameter |
| Apply tag and default value | Append a tag and its value to resource groups | Append | Environment from Parameter Owner tbd CostCenter tbd EndDate tbd Service tbd DataClassification tbd. ProtectionLevel Low |
| Require tag | Inherit a tag from the resource group if missing | Modify | Environment Owner CostCenter EndDate Service DataClassification ProtectionLevel |
Policy Initiative – Monitoring
| Policy | Description | Type | Parameter |
| Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | DeployIfNotExisits | Log Analytics Workspace |
| Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | DeployIfNotExisits | Log Analytics Workspace |
| Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExisits | Log Analytics Workspace |
| Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExisits | Log Analytics Workspace |
| Deploy Dependency agent for Windows VMs | Deploy Dependency agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | DeployIfNotExisits | |
| Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExisits | |
| Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExisits | |
| Deploy Dependency agent for Linux VMs | Deploy Dependency agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | DeployIfNotExisits | |
| The Log Analytics agent should be installed on virtual machines | This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. | DeployIfNotExisits | |
| Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | DeployIfNotExisits | |
| Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | AuditIfNotExisits | |
| [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. This policy requires the Azure Policy for Windows extension. For details, visit https://aka.ms/gcpol. | AuditIfNotExisits |
Policy Initiative – Network Security
| Policy | Description | Type | Parameter | ||
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExisits | |||
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. | AuditIfNotExisits | |||
| Network interfaces should not have public IPs | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. | Deny | |||
| Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | AuditIfNotExisits | |||
Policy Initiative – IaaS
| Policy | Description | Effect | Parameter |
| Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | DeployIfNotExists | |
| Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | AuditIfNotExisits | |
| Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | DeployIfNotExists | |
| Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | DeployIfNotExists | |
| Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | DeployIfNotExists | |
| Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | AuditIfNotExisits | |
| Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | AuditIfNotExisits | |
| Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | AuditIfNotExisits | |
| Azure Backup should be enabled for Virtual Machines | This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. | AuditIfNotExisits | |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | Audit |
Share you experiences with Azure Policies and the assignment structure you used.