App Modernization and Azure Policy Enforcement

/, Technology/App Modernization and Azure Policy Enforcement

One of the questions that comes our way often as our clients start to move toward the cloud is, how am I going to manage these cloud resources from a policy perspective? The answer is, strangely enough… Azure Policy.

What Is Azure Policy?

Azure Policy is active control and governance at scale for your Azure Resources. Azure Policy enables the following:

• Govern your Azure resources with simplicity
• Apply management and security at scale
• Enforce policies and audit compliance
• Monitor compliance continuously
• Build custom policies with flexibility
• Apply built-in policies from MSFT and the community

Let’s take a look at what Azure Policy looks like in a real-world scenario.

Finding The Policy Blade

From the Azure Portal let’s search for Azure Policy by clicking the All Services in the top left corner…

… and searching for Policy.

Now that we are in the Policy blade, let’s see what our options are:

Policy Definitions in Azure Policy

Overview – this is your monitoring pane for after you have applied policy and shows non-compliant policies

Getting Started – this is a great resource page that gives information about how to start to use Azure Policy

Compliance – this is where you will monitor individual policies

Authoring

Assignments – here is where you will assign an individual or group of policies

Definitions –  here is where you will author a policy

Policy Assignment

Now let’s work through a scenario where we want to apply a Microsoft provided policy to our subscription.  Let’s assume that for a specific Azure subscription that we only want resources to be deployed in the following regions EAST US or WEST US.  How do we go about applying a policy that would enforce this criteria?

Policy Assignments

From the Authoring – Assignments blade lets select Assign Policy.

Assign Policy Blade In Azure

Then the Assign Policy blade will be displayed.

The first thing we need to do is click the ellipses in the Policy and select the provided “Allowed Locations” policy at the very bottom of the list.

Next, we select the pricing tier and we can leave that standard.

Selecting the scope for Azure Policy

Then, we select the Scope of where we would like to apply the policy.

Lastly, we select the East US and West US regions from the drop down under the parameters section.

Finally, we click Save.

Policy Applied

Now that we have the policy applied you will see the following screen in the Assignments blade:

Now let’s test the policy by attempting to deploy something outside those two regions and see what happens.

Let’s try to create a storage account in the Central US region for instance.

Policy Error Has Occurred

When we click create we get the following error immediately.  This shows that a policy violation has occurred.

This is a simple demonstration of Azure policy and how it can be used to assure that resources are provisioned in desired regions and denied provisioning based on policy.  This is just the tip of the iceberg and so many more things can be controlled with Azure policy.

By |2018-03-07T15:11:31+00:00March 2nd, 2018|

About the Author:

Jeff is an Azure Cloud / Dev Ops Consultant with notable success directing a broad range of IT initiatives while participating in planning and implementation of cloud first solutions. He has a proven track record of increasing responsibility in production support, systems analysis and design and has worked in large organizations such as Raymond James Financial, American Express and Bloomin Brands. Jeff also leads the Tampa PowerShell User Group and actively blogs at Scriptwarrior.wordpress.com and can be reached on Twitter @ScriptWarrior.