Empowering your Cloud Governance operations using Azure Policy

What is Azure Policy and why is it important? 

Before going deep into Cloud Governance, let us start by defining Azure Policy as a rule or a set of rules that help control Cloud infrastructure governance mandates and compliance when it comes to elements such as:  

  • how things can be named (i.e., naming conventions) 
  • where they can be placed and what type of capacity they can have (i.e., SKU) 
  • which region resources can be deployed (e.g., Europe, Switzerland)  

 

It is a tool that can mitigate infrastructure drift, prevent unnecessary cost overruns and control the way our infrastructure is deployed in a proactive way, a way to be compliant with your organization’s security rules.

 

Is it easy to use and understand? 

The answer is yes!  

Microsoft groups those rules essentially into two categories: “Policy Definitions” and “Policy “Initiatives” – the former is an individual rule like: “Azure Backup should be enabled on all newly created Virtual Machines” or “The Only allowed regions to deploy VM is for example only on the Azure France region for this Subscription. More about this is below:

As shown in the image above, Microsoft provides an extensive range of pre-made Policy definitions that help your organization get started quickly. By typing “allowed locations” on the search field you can get started on assigning your policy at the Resource Group level, Subscription, or even Management group by setting a scope.  

The policies are internally represented in the JSON format – as such they can be adjusted for purpose and of course managed through a Git Repository – this, for example, is Microsoft’s own Git Repo for Azure Policies: https://github.com/Azure/azure-policy.

 

So, what are initiatives and does a policy or initiative have an immediate effect?

Initiatives group your individual policies into one basket – they can be applied in the same way your individual policy applies.

The policy initial check/run through is performed around the 30-minute mark and is checked every 24 hours.

Each policy has two modes in practice: Auditing and denial – they can both be extremely useful regardless of enforcement as they provide visibility to our compliance situation as shown below:

Here, we assigned the policy of checking whether the resource tag assigned to a resource group is inherited to the resources inside. 

How can we help you? 

At Stellium, we helped many clients implement their hybrid Cloud Governance strategy, roadmap and technical implementation using a combination of Azure Policy and DevOps platforms.  

If you need a similar solution for your business, book a free 1h consultancy meeting to discuss your needs and see how we can help you. Get in touch here.