Flashcards in Apply and monitor infrastructure standards with Azure Policy Deck (36)
You have a policy that allows virtual machines of only a certain size in your environment. After this policy is implemented, new and existing resources are evaluated for compliance.
Which actions can you perform with Azure Policy
Create, Assign and Manage policies
What are SKU's?
Stock keeping units (Pricing tier) for a resource
Azure Policy will audit all the existing VMs in our organization to ensure our policy is enforced.
You can integrate Azure Policy with Azure DevOps
You can even integrate Azure Policy with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.
Azure Policy is a default-allow-and-explicit-deny system.
RBAC is a default-allow-and-explicit-deny system.
What are the steps to apply an Azure Policy?
1. Create a policy definition
2. Assign a definition to a scope of resources
3. View policy evaluation results
What is a policy definition?
A policy definition expresses what to evaluate and what action to take
You can use one of the pre-defined policy definitions in Azure Policy or create your own.
For what is the Microsoft.PolicyInsights extensions used?
To apply an Azure Policy.
Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
How can you identify non-compliant Azure Policy resources?
- Compliance tab in Azure Policy
- Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'
Policy assignments are not inherited by all child resources
This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment.
Describe Azure Policy effects.
Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy.
Azure Policy will take a specific action based on the assigned effect.
The resource creation/update fails due to policy.
The policy rule is ignored (disabled). Often used for testing.
Adds additional parameters/fields to the requested resource during creation or update. A common example is adding tags on resources such as Cost Center or specifying allowed IPs for a storage resource.
- Audit, AuditIfNotExists
Creates a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.
Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way.
Azure Policy can allow a resource to be created even if it doesn't pass validation.
In these cases, you can have it trigger an audit event that can be viewed in the Azure Policy portal, or through command-line tools.
How can you remove a policy with Powershell?
Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions//resourceGroups/'
What are Azure Policy Iniatives?
Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That's where initiatives come in.
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
What are Azure Management Groups?
Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.
Suppose you have a management group "Geo Region 1" within the Root Management Group, which contains two EA subscriptions. When you apply a policy to "Geo Region 1", would the EA subscription owners be able to alter the policy?
The resources and subscriptions you assign to a management group automatically inherit the conditions that you apply to that management group.
Which Azure resource can you use to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.
Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
Azure Resource Manager templates
What are the steps to implement an Azure Blueprint?
The process of implementing Azure Blueprint consists of the following high-level steps:
Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments
Azure Blueprints are stored in an Azure Blob Storage Account.
The Azure Blueprints service is backed by the globally distributed Azure Cosmos database. Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, regardless of which region Blueprints deploys your resources to.
How does Azure Blueprint differ from Azure Resource Manager?
The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package—including through a CI/CD pipeline.
a Resource Manager template is a document that doesn't exist natively in Azure. Resource Manager templates are stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there's no active connection or relationship to the template.
With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.
How does Azure Blueprint differ from Azure Policy?
A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.
A policy is a default-allow and explicit-deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.
Where can you check your resource compliance?
1 Microsoft Privacy Statement
2 Microsoft Trust Center
3 Service Trust Portal
4 Compliance Manager
1 The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
2 Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
3 The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services.
4 Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance.
Azure provides two primary services to monitor the health of your apps and resources. What are they?
Azure Service Health
How can you extend the data you're collecting into the actual operation of resource in Azure Monitor?
By enabling Diagnostics and adding an agent to compute resources.