Azure Policy
-
- Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
- Policies can be grouped together into Initiatives (aka policySets).
- Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues
Examples of Using Policy
- Require newly created resources to have certain tags.
- Disallow creation of certain resource types
- Constrain the regions where resources can be deployed
- Require virtual machines to be configured with encryption at rest for disk storage
Policy Evaluation
Times or events when policies are evaluated:
- A resource is created or updated in a scope with a policy assignment.
- A policy or initiative is newly assigned to a scope.
- A policy or initiative already assigned to a scope is updated.
- During the standard compliance evaluation cycle, which occurs once every 24 hours.
Evaluation Response
Options for responding to compliance issues:
- Deny the resource change
- Log the change to the resource
- Alter the resource before the change
- Alter the resource after the change
- Deploy related compliant resources
- Block actions on resources
Effect Order Of Evaulation
There is an order of precedence for the possible policy effects.
- disable
- append and modify
- deny
- The Deny effect prevents a resource from being created or modified (including deleted) if it violates a policy rule.
- audit
- manual
- auditIfNotExists
- denyAction
- It prevents the deletion of resources that match a specified condition, such as a specific resource type or tag value.
Deny effect applies to all actions (create, update, delete), while DenyAction effect only applies to deletion actions.
- Use Deny effect when you want to block all unauthorized actions (create, update, delete) on a resource that does not support tags and locations.
- Use DenyAction effect when you want to specifically prevent the deletion of resources that support tags and locations, such as virtual networks or storage accounts.