In the previous chapters, we talked about various Azure services, their capabilities, automation options, and both basic and advanced configuration. We covered a variety of different resources – starting with Azure Virtual Machines and Virtual Network to Azure Load Balancer and Azure Disks before reaching Azure Storage, File Service, and Blob Storage. With this chapter, we’ll be starting the last part of this book, Governance and Monitoring, which will be related in many ways to the topics we covered previously.

Our journey regarding governance and monitoring will begin with Azure Policy – a native feature of Azure that allows you to describe policies and rules guarding the proper configuration of your cloud resources. In this chapter, we’ll cover the following topics:

• The basics of Azure Policy
• Deploying policies
• Creating custom policies
• The difference between policies and initiatives
• Discussing various policies...

For the exercises in this chapter, you’ll need the following:

• The Azure CLI (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
• A command line of any kind (either available in your operating system or your favorite one)

The Code in Action video for this book can be viewed at: https://packt.link/GTX9F

In this section, we’ll describe how Azure Policy works. We’ll focus on how it’s implemented and linked with Azure Resource Manager, what we can configure, and how to ensure that the implemented rules are applied correctly. Let’s start by discussing how Azure Policy relates to properties exposed by resources via Azure Resource Manager.

Azure Resource Manager and Azure Policy

As mentioned in Chapter 2, Basics of Infrastructure-as-Code, each resource in Azure is described by a set of fields, which are individual for each type of service. For example, let’s compare the configuration of a resource group with a storage account. In the following code snippet, we have a description of a resource group:

{
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2022-09-01",
      ...

In Azure, when you want to control how deployed resources are configured and managed, you have one option if you want to do that natively – you need to query the Azure Resource Manager API to fetch information about instances of services you’re interested in. In smaller environments, this will suffice; however, if you’re managing hundreds or thousands of different resources, executing tens of queries every day will become cumbersome and difficult. This is why Azure offers Azure Policy – a native way to audit and remediate resources that are not compliant with a set of rules established by you or your organization.

Let’s see an example of deploying a policy using the Azure CLI.

Deploying a policy using the Azure CLI

It’s possible to deploy a policy using a variety of different methods (the Azure portal, ARM templates, SDKs, and so on), but for this chapter, we’ll use the Azure CLI since it’s the most...

Even though you have access to many interesting inbuilt policies in Azure, sometimes, you need to write your very own to cover customized scenarios from your organization. Fortunately, Azure offers a simple way to author a custom policy using a predefined syntax. In this section, we’ll focus on writing a basic policy to cover our needs.

Understanding the syntax

Azure Policy has a pretty simple syntax and is similar to that for ARM templates, which we discussed previously. Here’s a code snippet that contains boilerplate code:

{
    "properties": {
        "displayName": "<displayName>",
        "description": "<description>",
        "mode": "<mode>",
        "parameters...

In more advanced scenarios where you consider governance and compliance regarding cloud environments, you’ll have to deploy tens of different policies. Some of these will be required by your organization; others may be enforced by external auditors. The problem with such a setup is that it requires lots of manual work or a complex automation system that can deploy those policies in the correct order and at an acceptable time. To overcome that challenge, Azure offers the concept of initiatives, which is several policies grouped as a single unit of deployment. In this section, we’ll talk about the pros and cons of this solution.

The idea behind initiatives

Let’s consider the following scenario – you have a bunch of policies that relate to Azure Storage. Some of them enforce certain configurations (HTTPS, disable access keys, enforce network rules, and so on), and some are used for auditing. You...

To better understand Azure Policy and its features, let’s discuss some examples of policies that are already available to us. This will help you build your own policies if needed and organize your findings from this chapter.

Policy – secrets should not be active for longer than the specified number of days

This policy is related to Azure Key Vault and is meant to be used as a security mechanism to avoid storing secrets that may be valid longer than necessary. It defines the following rule:

"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets...

In this chapter, we started talking about governance and compliance in Azure. We discovered Azure Policy – a service that’s meant to simplify the management of Azure resources by providing functionality to audit, modify, or deny deployments that do not follow defined rules. We also saw that, besides having a rich catalog of inbuilt policies, Azure offers a way to deploy a custom policy. We talked about the differences between initiatives and policies as well and looked at some examples of policies to better understand their syntax and capabilities.

Becoming fluent with Azure Policy is the key to becoming a better Azure administrator. In practically all cases, when you’re tasked with managing an Azure environment, you’ll need to use Azure Policy to help you keep cloud resources in line, ensure the compliance of deployed services, and enforce internal rules of your organization without lots of effort.

In the next chapter, we’ll talk about...