Azure Governance automation with Policy
Moving, expanding or creating your datacentre in the Azure cloud brings a vast array of innovation opportunity, but with it comes the need for Azure governance. Whether it is for Proof of Concept, testing and development or new services coming online, creating them in the cloud can be far easier than they used to be, and with that some points should be considered.
How do we allow for the provision of new host systems or services? In what way can we attribute ownership or financial responsibility for them? How can we try to maintain order with the delivery of any new VMs, services or storage in line with company standards?
Perhaps you already have defined standards in place with regard to the provision of new services in Azure, but what happens when they are not followed? Can we gain visibility of these anomalies or even better prevent them from happening in the first place?
This is where Azure Policy can help.
What is Azure Policy?
Azure Policy is a service in Microsoft Azure that sits within the overall Azure governance tools. You can use it to create, assign, and manage rules known as policies. These policies enforce these different rules and effects over your Azure resources so that they remain compliant with your corporate standards, contractual requirement or service level agreements.
We can also collate policies aimed at achieving a single goal into an ‘initiative’. For example, one initiative to govern or control resource tagging might consist of multiple underlying policies that manage and control differing resource types.
Using an initiative to audit or govern multiple policies allow for much easier management.
In this blog, I will show you how we can control the creation of a VM resource to ensure it remains in line with corporate policy.
The following host considerations will be validated:
1. Hostname. This must follow an agreed pattern aligned to corporate naming conventions.
2. Host size. Sizing of the VM must be one of the agreed sizing levels available in Azure.
3. Host location. The location of the VM in Azure must be in an agreed datacentre location.
4. Tagging. The host must have a department tag for cost allocation and a ‘created by’ for auditing.
Policy Hierarchy & Management Groups
Much like how a domain Group Policy can be aligned to an Organisation Unit (OU) either at a high or lower level, an Azure Policy can also be assigned at varying levels. In order to have the policy made available across your entire scope of Subscriptions, I recommend using Management Groups.
By default, you will already have a stock management group to align your policies to. You should ensure that your target subscriptions exist beneath this management group, known as the Tenant Root Group. When you create a policy at the tenant root group, it can then be assigned at any level beneath it. It is recommended that the policy assignment is at the lowest level to the required scope.