Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management

#Microsoft Azure Policy and BluePrints Overview #Azure #Cloud #Architecture #AzureBlueprints

Leave a comment


Microsoft Azure Policy

Why is Azure Policy and Blueprints important ?

When you made your Enterprise Architecture Design like my last blogpost :

Microsoft Azure Hub-Spoke model by Enterprise Design Part 1 of 4

You want to keep in control of your Business policy’s and keep your Azure Virtual Datacenter consistent as by design.

Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by running evaluations of your resources and scanning for those not compliant with the policies you have created. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy has been implemented, it will then be evaluated when creating and updating resources, as well as over your already existing resources.

In Azure Policy, we offer some built-in policies that are available to you by default. For example:

  • Require SQL Server 12.0: This policy definition has conditions/rules to ensure that all SQL servers use version 12.0. Its effect is to deny all servers that do not meet these criteria.
  • Allowed Storage Account SKUs: This policy definition has a set of conditions/rules that determine if a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
  • Allowed Resource Type: This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.
  • Allowed Locations: This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geo-compliance requirements.
  • Allowed Virtual Machine SKUs: This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.
  • Apply tag and its default value: This policy applies a required tag and its default value, if it is not specified by the user.
  • Enforce tag and its value: This policy enforces a required tag and its value to a resource.
  • Not allowed resource types: This policy enables you to specify the resource types that your organization cannot deploy.

Azure Policy Definitions

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that all resources have a particular tag. Policies are inherited by all child resources. So, if a policy is applied to a resource group, it is applicable to all the resources in that resource group

Assign Azure Policy Definition.

Scope the Policy

Managed Identities in Azure Policy

A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren’t checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions. There’s no additional cost.

There are two types of managed identities:
A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Read here more about Azure Managed Identities

Here you find Azure Policy Samples:

Microsoft Azure Policy Samples are here

Microsoft Azure Policy Blueprints

Just as a blueprint allows an engineer or an architect to sketch a project’s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components — such as networking — to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

  • Role Assignments
  • Policy Assignments
  • Azure Resource Manager templates
  • Resource Groups

How it’s different from Azure Policy?

  • A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.
  • A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.

Including a policy in a blueprint enables the creation of the right pattern or design during assignment of the blueprint. The policy inclusion makes sure that

  • only approved or expected changes can be made to the environment to protect ongoing compliance to the intent of the blueprint.

A policy can be included as one of many artifacts in a blueprints definition. Blueprints also support using parameters with policies and initiatives.

This video by Microsoft Sr. Program Manager Jim Britt  walks you through the process of exporting an existing Azure ARM Blueprint from a management group in your environment, and then importing that Blueprint into a new Management Group with a new Blueprint name as the target.

More information on the Script Manage-AzureRMBlueprint can be found here

More information about Microsoft Azure Policy BluePrints can be found here on Docs

Follow @satya_vel

 

Conclusion

Microsoft Azure Policy and Blueprints helps you to stay complaint to your Enterprise Architecture Design.

Author: James van den Berg

I'm Microsoft Architect and ICT Specialist and Microsoft MVP Cloud and Datacenter Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.