Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
Thats what Microsoft documentation says. Now let me say in my way.
I work in a bank and the regulatory compliance says, data of our bank shouldn't leave Autralia.
So if one of our developers deployed a production azure resource in any other AZ Regions, our organization has to pay big penalties for not complying with regulations.
How do we do it? Using Azure Policy Assignment.
Before we jump on to implemntation, you need to know about difference between Policy and Initiative.
To keep it simple, Policy is a rule and Initiave is a collcetion of policies which set a standard.
Eg: ISO(standard) is a Intiative, which comprises of many policies which makes that standard.
So you can assign either a policy or an initiative to a resource group or entire subscription to make your resources comply with regulations. You can create new policies or initiatives of your own that were tailored for your organizational needs.
Enough theory, lets implement.
I have created a resource group "DefaultRG". So as per my Organizational needs, i need to make sure any resources created in this resource group are located in same region "Australia-East".
Go to Azure portal and search for "Policy".
There are many policies that were already defined in azure which we can use in our case. Click on Assignments, where we will assign an existing policy to our resource group.
In Policy assignment screen, i choose to apply this policy to a resource group, instead of entire subscription.
In the "Parameters" and "Non Compliance Message" tabs, select the region you choose to deploy for your compliance and give the error message to display if someone try to defy the policy.
Review and Create.
Since the policy is in place , lets test it.
I am using a Azure CLI command in powershell to create a VM in association with DefaultRG, but in a different region (Europe-West).
az
vm create --resource-group DefaultRG --name myTestVM --location westeurope --image ubuntults --admin-username azureuser --admin-password AZpassword12345
Now, lets see what happens.
"Error Code: RequestDisallowedByPolicy
Message: Resource 'myTestVMVNET' was disallowed by policy. Reasons: 'Resources in DefaultRG should only be deployed to Australia-East region.'. See error details for policy resource IDs."
"MyTestLocationPolicy" assignment stopped me from creating a resource in a different region.
What happens if we applying a policy to an existing resources.
This time, i deleted the policy assignment and then created a new VM by keeping region as "Australia-East".
Now i will add a new data disk under same resource group but the location as "Europe-West".
Note that, if a new policy is applied and if there is a no-compliant resource , it will not do anything, except riase non-compliance notification.
Hope i bring some clarity on Azure Policies and Compliance Management.
No comments:
Post a Comment