Azure is a wonderful place. From virtual machines to cognitive services and beyond, it's full of great resources you can use. But when using these services, it's very easy to make mistakes or take nefarious action. It's all too simple to violate security and separation of duties, or create services that burn through cash. To help with this, Microsoft created Azure Policies.
At its most basic level, an Azure Policy is a JSON file, which can perform background actions in Azure. It prevents a user, or group of users, from carrying out destructive actions. It also audits existing resources to ensure they comply with company policies. A Policy can be as simple as auditing the Diagnostic logging setting on a resource, or as complex as deploying a Network Security Group to a Virtual Machine NIC card (if it detects an attached public IP address). A group of Policies is an Initiative. For example, you can create an Initiative, with multiple Policies, to see if your Azure environment complies with PCI DSS.
Construction of a Policy
An Azure Policy can do a lot of things. However, at its heart are five basic elements:
- Display name
- A Policy rule
The display name and description are straight forward, with the name being a required field.
Mode is a little more complex and can only be "All" or "Indexed". 99% of the time it will be "All". "Indexed" is only used when creating Policies that enforce tags or locations.
Parameters enable you to create complex Policies. They can be fed values or made optional. They're also good to use if you want to implement the same Policy but on different sets of resources. Because this is a JSON file, you can use parameters the same way you would for any ARM Template.
A Policy rule contains logical evaluation and resulting effect. The Policy rule itself contains "if and then" blocks for each condition, and you can list multiple conditions for each policy. The "If" condition can be either:
- "not" - inverts selection
- "allof" - similar to a logical And operation
- "anyof" - similar to a logical Or operation
How To Create a Policy
Recently, I had the opportunity to demonstrate how to block the creation of IP addresses. It's a simple example of the power of Azure Policy.
We first create a Policy definition. The definition location is either a subscription, management group, or resource group you are planning to add the Policy to.
The main core of the actual Policy is the rule section. This is where you specify the criteria of the Policy. Here we are specifying "allof", with any action on Microsoft.Network/publicIPAddresses, and then the effect of "deny". All public IP Addresses are contained in Microsoft.Network/publicIPAddresses. Therefore, denying any actions on this will disable any additions, deletions, and modifications to any of your public IP Addresses. So, it's a good idea to exclude a resource group, subscription, or management group. Then someone can carry out these actions if needed.
Once you have entered all the information into this one page and clicked Save, the Policy is ready to go. As you can see, the hardest part is ensuring the JSON code is correct, so GitHub has a repository of examples you can use to base your own Policy on.
Simply creating a Policy does not enable it. But creating many Policies can be very confusing. To help with organization, you can use an Initiative, which groups Policies together. Creating an Initiative is easy. It only needs a name, location, and the addition of at least one Policy (such as the Block Public IP Addresses Policy).
The process of assigning a Policy or Initiative is the same. Under the Authoring section, select to assign a Policy or Initiative. You will need to add a scope, which will define what's affected by the Policy or Initiative. It can be a subscription, management group, or resource group. Then you need to add a Policy or Initiative and give the assignment a name.
Once you click Assign, the Policy will start to take effect.
From now on, if anyone attempts to create a VM with a public IP address or directly attempts to create or modify a public IP address, the below error will happen. The public IP address will not be created.
Block Networking Items is the Initiative that contains the Block Public IP Addresses Policy. As we can see from the red error, it's preventing the creation of the resource.
You can use this Policy if a setting is incorrect, or to deny the creation of any resource. You can also use Policies to audit resources to ensure they are created correctly.
Controlling Your Azure Environment
A large manufacturing company had outsourced developers creating publicly accessible storage accounts. This violated their security controls. By using Azure Policies, we prevented the developers from creating any storage accounts with public access. Instead, all storage accounts had to be connected to a Virtual Network, making them a lot more secure. This made security happy, as it was automatic and could be audited using a separate Policy. It also made development happy, as they could still create storage accounts.
Using Azure Policy is a simple way to control or monitor what is happening in your Azure environment. It's very powerful and an important service to set up prior to significant Azure use. It's the best way to avoid costly mistakes and risks.
Take a deep dive into Azure Networking and learn more about what Azure has to offer.