Azure Policy as name suggests it is exactly the same and gives us power to achieve the governance in Azure environment.
Now as you have seem we have applied the policy so that only particular VM SKU are allowed , lets try to change the size of the VM which is not allowed - guess what we got the error as shown below
Lets understand it by an Example - If Azure policy is assigned on your subscription that users cant create some particular VM sku or in particular Resource group all VM should have defined VM sku , we can easily achieve this by Azure policy. VM which are already created would fall under compliance report either compliant or not & new VM's User wouldn't be able to create.
Once this policy is implemented, new and existing resources
are evaluated for compliance. With the right type of policy, existing resources
can be brought into compliance.
Lets create a Policy and assign to the Scope and discuss all the steps simultaneously. First see below picture just to take a feel of Azure policy Plane and all the highlighted points will discuss and many more -
Lest start with the Step-1 Navigate to search bar and look for Policy as shown below -
Now once you are in Policy Pane > click on assignment. An assignment is a policy that has been assigned to specific scope. Now click on Assign Policy at the top of the Policy - Assignment page.
Once you hit the Assign Policy, below window would appear and all the highlighted points you need to understand - Lets discuss them one by one
- Scope : This would decide the range of effect or on what resources policy would get enforced. You can select your scope from the ellipses.
- Exclusion : is simply what all you want to exclude from the effect of policy
- Policy definition ellipses would open the list of built-in condition that you can define in your policy as you can see above Allowed VM Sku is the one that we will select for our Post.
- Assignment name is just the name that you can give to your assignment or policy.
- Managed Identity : Well this option is needed when you apply deployIfNotExists effect else leave it blank.
Fill all the information as per your requirement and assign , just like we did for Allowed VM sku on all except few exclusions. Now lets check the Compliance status by clicking on compliance on the left pane and as shown in the below snippet our policy is all compliant but there is one policy (not defined by me) is non-complained and you can go and check what all are non-compliant and remediate as well.
If you do not need the assignment any more then you can delete it from there as shown below -
We have discussed the built-in policies and you can also add the custom policy as well. Below is the structure of the policy and you also import from github as well-
Now as you have seem we have applied the policy so that only particular VM SKU are allowed , lets try to change the size of the VM which is not allowed - guess what we got the error as shown below
Lets check few Recommendation for managing Policies -
- Start with audit effect instead of a deny effect to track impact of your policy definition on the resources in your environment because it would impact auto-scaling or any-other automation in place or crucial situation adjustment is there etc.
- Consider organizational hierarchies when creating definitions and assessments.
- Once you've created an initiative assignment, policy definitions added to the initiative also become part of that initiatives assignments.
- When an initiative assignment is evaluated, all policies within the initiative are also evaluated. If you need to evaluate a policy individually, it's better to not include it in an initiative.
Policy Initiatives : Instead
of assigning 10 policies to each resource group, you can now group these
policies in an assignment (also known as policy set) and just assign the newly
created assignment to your resource groups.
Reference link -
No comments:
Post a Comment