Azure Policy is a service in Azure which has been designed to help you to enforce different rules and to act based on the rule effect on your Azure resources. It ensures that your azure resource stay compliant with the corporate standards and Service Level Agreement. Azure policy evaluates your resources for non-compliance with assigned policies and perform the assigned effect.  For example, you can have a policy to allow only managed disk should be created in Prod environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. There are multiple built-in policies and, we can create our own custom policies. Later in this blog, we will go over more details about it.

What Azure Policy Does?

Enforcement & Compliance:

  • Turn on built-in policies or build custom ones for all resource types
  • Real-time policy evaluation and enforcement
  • Periodic & on-demand compliance evaluation

Apply Policies at scale:

  • Apply policies to a Management Group, or on to a subscription
  • Apply multiple policies & aggregate policy states with policy initiative
  • Exclusion Scope

Remediation:

  • Real time remediation

Policy Implementation

The journey of policy Implementation breaks into two process. Those two processes are: –

  1. The Policy Definition Creation
  2. The Policy Definition Assignment

Policy Definition

Each Policy definition is a JSON (JavaScript Object Notation). Every policy definition’s core component is its conditions which it’s enforced and effects that takes place if the conditions are met. There are multiple built-in policies provided by the azure but you can also build your own custom policies. To create your own custom policies, you must have the below permission via role-based access control (RBAC).

  • Authorization/policydefinitions/writepermission to define a policy;

       And each policy definition will have the following elements

  • Mode – This determines which resource type will be evaluated for a policy. Supported modes are: –
    • all: evaluated resource groups and all resource types
    • indexed: evaluate resource types that supports tags and location
  • Parameters – If you are familiar with any programming language you will be familiar with parameters. These parameters can be used in the logical evaluation and in the effects. It helps in reducing the

Code and number of policy definitions.

  • Display name & Description – This is to identify the policy definition through a name and provide context for when it is used.
  • Policy rule (Logical evaluation & effect) – This is the core part of the policy definition which describes what the policy is evaluating using the rule. The rule consists of IF and Then You can apply logical operators to these conditions to precisely define the policy rule. Policies effect can set to deny, append, audit, auditIfNotExists or deployIfNotExists.

 

Example policy:

 

Policy Assignment

The second part of the policy Implementation is the assignment of policy definitions. The policy definitions are assigned to a scope. This scope could range from a resource group to a management group. It means policy can be assigned either on to the resource group or subscriptions or management group. Policy assignments has inheritance property, which means all the resources under the scope will also the impact of the policy rule. However, you can exclude a sub-scope from the policy assignment.

The policy definition can be re-assigned either with same scope or with different scope and with different parameters value. That makes the policy definitions as reusable. To assign policy definition, you must have the below permission via role-based access control (RBAC).

  • Authorization/policyassignments/writepermission to assign a policy;

The policy assignments JSON contains following elements:

  • Display Name & Descriptions – This is to identify the policy assignments through a name and provide context for its use with the specific set of resources.
  • Enforcement mode – This property provides the ability to check compliance of a resource, with making policy effects as optional. For example, if enforcement mode is disabled, the deny policy will show the assessment result but will not deny resources. The default value for it is enabled.
  • Policy definition – This accepts the policy definition ID of an existing policy. You can only assign one policy at a time.
  • Parameters – This is the segment where the values for the parameters in the policy definitions are provided. This design makes it possible to reuse the policy with different resources or on different scope with different business value or outcomes.

 

Example of Policy Assignments:

How Does Policy Work?

Policies are declarative, easy to write. It works on: –

  • Change (works on new resource config requests)

Azure Resource manager is centralized control plane for azure. All the resource config requests (whether of new resource creation or of any update on the existing resource) raised by either a user or the code, regardless of what form it takes must go through ARM- Control Plane, before the resource can be deployed or updates. The Policy engine is strategically sitting behind the ARM-Control plane. So, the request going to the ARM-Control plane must be evaluated through all the policies that is assigned before the resource request would take place. The resource config requests will have one of the following stages.

  • If the resource config request is compliant to the policy rule, then results in resource deployment.
  • If the resource config request is non-compliant to the policy rule, then results in requests drop.
  • Periodic Basis (works on existing resources)

On periodic basis, the policy evaluates the existing resources against it and result in the compliance report

So, this blog ends here with basic understanding of Azure policy and how is it used for the governance of the Azure environment.