Azure Policy – Infrastructure Standards
You might enforce infrastructure standards by requiring the IT staff to design and deploy all cloud-based assets rather than enabling teams to develop Azure resources directly. In on-premises systems, this is frequently the solution, but it decreases team agility and capacity to innovate. Instead, Azure offers a number of tools for enforcing and validating your standards while allowing your technical teams to establish and control their own cloud resources.
You must be able to monitor your resources to ensure that they are responsive and working effectively, in addition to establishing IT guidelines. Azure has a number of built-in capabilities for tracking and analysing resource usage and performance.
Define IT compliance with Azure Policy
- Setting up policies is the first step in creating a consistent cloud infrastructure. Your policies will enforce your rules for produced resources, ensuring that your infrastructure meets your corporate standards, financial constraints, and service-level agreements (SLAs) with clients.
- Azure Policy is an Azure service that allows you to design, allocate, and manage resource standards in your environment. It may block the development of prohibited resources, verify that new resources have certain settings applied, and perform compliance audits on existing resources.
- You may leverage Azure Policy’s built-in policy and initiative definitions in categories including Storage, Networking, Compute, Security Center, and Monitoring.
Creating a Policy
A policy definition is the first step in the process of establishing and applying an Azure policy. Every policy definition contains requirements that must be met in order for it to be implemented. It also has a secondary impact that occurs if the criteria are satisfied. To put a policy into effect, you’ll need to do the following:
- Create a policy definition
- Assign a definition to a scope of resources
- View policy evaluation results
What is a Policy Definition?
A policy definition specifies what to assess and what actions should be taken. For example, you may require that all public websites utilise HTTPS, ban the creation of a specific storage type, or mandate the usage of a given SQL Server version. Here are some of the most commonly used policy definitions.
Assign a Definition to a Scope of Resources
- You’ll need to assign one or more policy definitions after defining them. A policy assignment is a policy definition that has been assigned to specified scope of operation. The scope of this agreement might be anything from a complete subscription to a resource group.
- All child resources inherit the policy assignments. This implies that when a policy applies to a resource group, it affects all of the resources inside that group.
- You can, however, remove a subscope from the policy assignment. We could, for example, apply a policy to a full subscription while excluding a few resource groups.
- Any of these policies may assign via the Azure interface, PowerShell, or the Azure CLI. You must give any parameters that are defined when assigning a policy definition.
Policy Effects
Azure Policy evaluates requests to add or change resources using Azure Resource Manager first. Policy compiles a list of all assignments that apply to the resource, then assesses it against each definition. To avoid any additional processing if the resource violates policy, policy processes many of the effects before passing the request to the appropriate Resource Provider.
Each Azure Policy policy description has just one consequence. When the related policy rule is matched, that effect affects what happens. When this occurs, Azure Policy will execute a specific action based on the impact that has been allocated.
From this screen, you can spot resources which are not compliant and take action to correct them.
Organize Policy with Initiatives
In Azure Policy, initiatives operate in tandem with policies. An initiative definition is a collection of policy definitions that measure your progress toward a bigger goal. If you want to increase the number of policies over time, we advocate adopting initiatives even if you just have one. An initiative assignment, like a policy assignment, is a definition of an initiative that is given to a specified scope.
The requirement for several initiative descriptions for each scope is reduced when initiatives are assigned. This group might be anything from a management team to a resource team. Initiatives, like policies, may be assigned once they’ve been developed, and they’ll apply all of the related policy definitions.
Defining initiatives
By combining a series of policies into a single item, initiative definitions make managing and assigning policy definitions easier. For example, you may develop an Enable Monitoring in Azure Security Center effort with the purpose of monitoring all of your Azure Security Center’s available security recommendations.
Under this initiative, you would have the following policy definitions:
Policy definition | Purpose |
---|---|
Monitor unencrypted SQL Database in Security Center | For monitoring unencrypted SQL databases and servers. |
Monitor OS vulnerabilities in Security Center | For monitoring servers that do not satify the configured baseline. |
Monitor missing Endpoint Protection in Security Center | For monitoring servers without an installed endpoint protection agent. |
You can define initiatives using the Azure portal, or command-line tools. In the portal, you use the “Authoring” section.
Define standard resources with Azure Blueprints
It can be difficult and time-consuming to adhere to security or compliance regulations, whether they are government or industry-specific. Use Azure Blueprint artifacts and tools to aid with auditing, traceability, and compliance with your deployments.
You may use Azure Blueprint to create a repeatable collection of Azure resources that follow your organization’s standards, patterns, and needs. With a collection of built-in components that speed up development and delivery, Blueprint enables development teams to quickly construct and deploy new environments while maintaining corporate compliance.
Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
- Role assignments
- Policy assignments
- Azure Resource Manager templates
- Resource groups
The process of implementing Azure Blueprint consists of the following high-level steps:
- Create an Azure Blueprint
- Assign the blueprint
- Track the blueprint assignments
Explore your service compliance with Compliance Manager
When you employ a cloud provider, managing your own resources and how they use is only half of the answer. You must also be aware of how the supplier handles the underlying resources on which you are constructing. Microsoft takes this management extremely seriously, and four sources give complete transparency:
- Microsoft Privacy Statement
- Microsoft Trust Center
- Service Trust Portal
- Compliance Manager
What is the Microsoft Trust Center?
Microsoft’s Trust Center is a digital resource that contains information and details about how the company implements and supports security, privacy, compliance, and transparency across all of its cloud products and services. The Trust Center is a key aspect of Microsoft’s Trusted Cloud Initiative, and it offers legal and compliance professionals help and tools such as:
- In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products.
- Recommended resources in the form of a curated list of the most applicable and widely-used resources for each topic.
- Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams.
- Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal.
- Direct guidance and support for when you can’t find what you’re looking for.
What is the Service Trust Portal?
The Compliance Manager service host on the Service Trust Portal (STP), which is also the Microsoft public portal for releasing audit results and other compliance-related information for Microsoft’s cloud services. Users of the STP may see audit reports provided by external auditors as well as Microsoft-authored studies that outline how the company designs and manages its cloud services.
STP also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:
- ISO
- SOC
- NIST
- FedRAMP
- GDPR
Service Trust Portal is a companion feature to the Trust Center, and allows you to:
- Access audit reports across Microsoft cloud services on a single page.
- Secondly, access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations.
- Access trust documents to help you understand how Microsoft cloud services help protect your data.
- Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
Data sources
Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself.
Diagnostic settings
Azure Monitor begins gathering data as soon as you register an Azure subscription and begin adding resources such as virtual machines and web apps. When resources are created or updated, Activity Logs are kept, and Metrics inform you how the resource is doing and what resources it is consuming. By enabling diagnostics and attaching an agent to compute resources, you may extend the data you’re gathering into the actual functioning of the resources. Diagnostics can enable in the resource settings.
- Enable guest-level monitoring
- Performance counters: collect performance data
- Event Logs: enable various event logs
- Crash Dumps: enable or disable
- Sinks: send your diagnostic data to other services for more analysis
- Agent: configure agent settings
Getting more data from your apps
Data monitoring is only beneficial if it increases your visibility of your computer environment’s processes. Azure Monitor has a number of features and tools that may help you gain important information into your apps and the resources they rely on.
Application Insights
- Application Insights is a service that keeps track of your web apps’ availability, performance, and use, whether host in the cloud or on-premises. It makes use of Log Analytics’ strong data analysis platform to provide you a better understanding of your application’s activities.
- Without waiting for a user to report a problem, Application Insights can diagnose it. To help your DevOps operations, Application Insights contains connection points to a range of development tools and interfaces with Microsoft Visual Studio.
Azure Monitor for Containers
- Azure Monitor for Containers is a service that monitors the performance of container workloads that are deployed to Azure Kubernetes Service-managed Kubernetes clusters (AKS). It collects memory and processor information from controllers, nodes, and containers, which are available in Kubernetes via the metrics API, to provide performance insight.
Azure Monitor for VMs
- Azure Monitor for VMs is a service that analyses the performance and health of your Windows and Linux VMs and monitors them at scale (including their different processes and interconnected dependencies on other resources, and external processes).
- Monitoring performance and application dependencies for VMs hosted on-premises and with other cloud providers is supported by Azure Monitor for VMs.
Visualize Monitoring Data
Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences. Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences. Other tools you may use for visualizing data, for particular audiences and scenarios, include –
- Dashboards
- Views
- Power BI
For more on Tutorial visit – Microsoft Azure Fundamental (AZ-900)